CVE-2026-31735

Published: May 1, 2026

Modified: May 11, 2026

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

In the Linux kernel, the following vulnerability has been resolved: iommupt: Fix short gather if the unmap goes into a large mapping unmap has the odd behavior that it can unmap more than requested if the ending point lands within the middle of a large or contiguous IOPTE. In this case the gather should flush everything unmapped which can be larger than what was requested to be unmapped. The gather was only flushing the range requested to be unmapped, not extending to the extra range, resulting in a short invalidation if the caller hits this special condition. This was found by the new invalidation/gather test I am adding in preparation for ARMv8. Claude deduced the root cause. As far as I remember nothing relies on unmapping a large entry, so this is likely not a triggerable bug.

Vendor	Product	Versions
Linux	Linux	affected `7c53f4238aa8bfb476e177263133ead2eeb8d55d - < 50ecd96a28f712f8b682c0441f4cb9b086d28816` affected `7c53f4238aa8bfb476e177263133ead2eeb8d55d - < ee6e69d032550687a3422504bfca3f834c7b5061`
Linux	Linux	affected `6.19` unaffected `0 - < 6.19` unaffected `6.19.12 - <= 6.19.` unaffected `7.0 - <= `

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://git.kernel.org/stable/c/50ecd96a28f712f8b682c0441f4cb9b086d28816

https://git.kernel.org/stable/c/ee6e69d032550687a3422504bfca3f834c7b5061

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-31735

Description

Affected Products

CVSS v3.1 Details

References