{"id":"CVE-2026-43220","summary":"iommu/amd: serialize sequence allocation under concurrent TLB invalidations","details":"In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: serialize sequence allocation under concurrent TLB invalidations\n\nWith concurrent TLB invalidations, completion wait randomly gets timed out\nbecause cmd_sem_val was incremented outside the IOMMU spinlock, allowing\nCMD_COMPL_WAIT commands to be queued out of sequence and breaking the\nordering assumption in wait_on_sem().\nMove the cmd_sem_val increment under iommu-\u003elock so completion sequence\nallocation is serialized with command queuing.\nAnd remove the unnecessary return.","modified":"2026-06-18T03:55:19.817619971Z","published":"2026-05-06T11:28:20.905Z","related":["CGA-6rxc-cwqp-gfmm"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43220.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/48caa7542a795c9679ec1bd1bc2592e05a7369a4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5000ce7fcb31067566a1a1a2e5b5bbff93625242"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9e249c48412828e807afddc21527eb734dc9bd3d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d51bf43193b1e95dc4e34e540dc76e19def2ae5a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fca7aa0264ae99e5ff287d0ced5af0b82b121c4f"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43220.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43220"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f2f65b28d802a667119147444ec2ae33eebf9a58"},{"fixed":"d51bf43193b1e95dc4e34e540dc76e19def2ae5a"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"715c263119fd1b918a9fcbd8a36ea5b604a46324"},{"fixed":"fca7aa0264ae99e5ff287d0ced5af0b82b121c4f"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e15768e68820142077bbca402d8e902f64ade1b0"},{"fixed":"5000ce7fcb31067566a1a1a2e5b5bbff93625242"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"496269d12072ecb219826485bdbec70c92a8eef5"},{"fixed":"48caa7542a795c9679ec1bd1bc2592e05a7369a4"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d2a0cac10597068567d336e85fa3cbdbe8ca62bf"},{"fixed":"9e249c48412828e807afddc21527eb734dc9bd3d"}]}],"versions":["v6.6.139","v6.6.138","v6.6.137","v6.6.136","v6.6.135","v6.6.134","v6.6.133","v6.6.132","v6.6.131","v6.6.130","v6.6.129","v6.6.128","v6.12.87","v6.12.86","v6.12.85","v6.12.84","v6.12.83","v6.12.82","v6.12.81","v6.12.80","v6.12.79","v6.12.78","v6.12.77","v6.12.76","v6.12.75"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43220.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.6.128"},{"fixed":"6.6.140"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.12.75"},{"fixed":"6.12.88"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43220.json"}}],"schema_version":"1.7.5"}