CVE-2026-31735

Source
https://cve.org/CVERecord?id=CVE-2026-31735
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31735.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31735
Downstream
Published
2026-05-01T14:14:32.923Z
Modified
2026-07-08T08:00:04.822629640Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
iommupt: Fix short gather if the unmap goes into a large mapping
Details

In the Linux kernel, the following vulnerability has been resolved:

iommupt: Fix short gather if the unmap goes into a large mapping

unmap has the odd behavior that it can unmap more than requested if the ending point lands within the middle of a large or contiguous IOPTE.

In this case the gather should flush everything unmapped which can be larger than what was requested to be unmapped. The gather was only flushing the range requested to be unmapped, not extending to the extra range, resulting in a short invalidation if the caller hits this special condition.

This was found by the new invalidation/gather test I am adding in preparation for ARMv8. Claude deduced the root cause.

As far as I remember nothing relies on unmapping a large entry, so this is likely not a triggerable bug.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31735.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7c53f4238aa8bfb476e177263133ead2eeb8d55d
Fixed
50ecd96a28f712f8b682c0441f4cb9b086d28816
Fixed
ee6e69d032550687a3422504bfca3f834c7b5061

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31735.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.12

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31735.json"