Bug 2492794 (CVE-2026-53164) - CVE-2026-53164 kernel: iommu/dma: Do not try to iommu_map a 0 length region in swiotlb
Summary: CVE-2026-53164 kernel: iommu/dma: Do not try to iommu_map a 0 length region i...
Keywords:
Status: NEW
Alias: CVE-2026-53164
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-25 10:06 UTC by OSIDB Bzimport
Modified: 2026-06-26 07:25 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-25 10:06:06 UTC 
In the Linux kernel, the following vulnerability has been resolved:

iommu/dma: Do not try to iommu_map a 0 length region in swiotlb

iommu_dma_iova_link_swiotlb() processes a mapping that is unaligned in three
parts, the head, middle and trailer. If the middle is empty because there
are no aligned pages it will call down to iommu_map() with a 0 size
which the iommupt implementation will fail as illegal.

It then tries to do an error unwind and starts from the wrong spot
corrupting the mapping so the eventual destruction triggers a WARN_ON.

Check for 0 length and avoid mapping and use offset not 0 as the starting
point to unlink.

This is frequently triggered by using some kinds of thunderbolt NVMe
drives that trigger forced SWIOTLB for unaligned memory. NVMe seems to
pass in oddly aligned buffers for the passthrough commands from smartctl
that hit this condition.
Comment 1 TEJ RATHI 2026-06-26 07:22:35 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062550-CVE-2026-53164-88ad@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.