CVE-2026-43486 (GCVE-0-2026-43486)

Vulnerability from cvelistv5 – Published: 2026-05-13 15:08 – Updated: 2026-05-13 15:08
VLAI
Title
arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults
Summary
In the Linux kernel, the following vulnerability has been resolved: arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults contpte_ptep_set_access_flags() compared the gathered ptep_get() value against the requested entry to detect no-ops. ptep_get() ORs AF/dirty from all sub-PTEs in the CONT block, so a dirty sibling can make the target appear already-dirty. When the gathered value matches entry, the function returns 0 even though the target sub-PTE still has PTE_RDONLY set in hardware. For a CPU with FEAT_HAFDBS this gathered view is fine, since hardware may set AF/dirty on any sub-PTE and CPU TLB behavior is effectively gathered across the CONT range. But page-table walkers that evaluate each descriptor individually (e.g. a CPU without DBM support, or an SMMU without HTTU, or with HA/HD disabled in CD.TCR) can keep faulting on the unchanged target sub-PTE, causing an infinite fault loop. Gathering can therefore cause false no-ops when only a sibling has been updated: - write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared) - read faults: target still lacks PTE_AF Fix by checking each sub-PTE against the requested AF/dirty/write state (the same bits consumed by __ptep_set_access_flags()), using raw per-PTE values rather than the gathered ptep_get() view, before returning no-op. Keep using the raw target PTE for the write-bit unfold decision. Per Arm ARM (DDI 0487) D8.7.1 ("The Contiguous bit"), any sub-PTE in a CONT range may become the effective cached translation and software must maintain consistent attributes across the range.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 4602e5757bcceb231c3a13c36c373ad4a750eddb , < 05d239f2c95e66e27e7fb4e99ee07eb56e3e34b0 (git)
Affected: 4602e5757bcceb231c3a13c36c373ad4a750eddb , < 6f92a7a8b48a523f910ef25dd83808710724f59b (git)
Affected: 4602e5757bcceb231c3a13c36c373ad4a750eddb , < 09d620555e59768776090073a2c59d2bc8506eb3 (git)
Affected: 4602e5757bcceb231c3a13c36c373ad4a750eddb , < 97c5550b763171dbef61e6239cab372b9f9cd4a2 (git)
Create a notification for this product.
Linux Linux Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.78 , ≤ 6.12.* (semver)
Unaffected: 6.18.19 , ≤ 6.18.* (semver)
Unaffected: 6.19.9 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/mm/contpte.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "05d239f2c95e66e27e7fb4e99ee07eb56e3e34b0",
              "status": "affected",
              "version": "4602e5757bcceb231c3a13c36c373ad4a750eddb",
              "versionType": "git"
            },
            {
              "lessThan": "6f92a7a8b48a523f910ef25dd83808710724f59b",
              "status": "affected",
              "version": "4602e5757bcceb231c3a13c36c373ad4a750eddb",
              "versionType": "git"
            },
            {
              "lessThan": "09d620555e59768776090073a2c59d2bc8506eb3",
              "status": "affected",
              "version": "4602e5757bcceb231c3a13c36c373ad4a750eddb",
              "versionType": "git"
            },
            {
              "lessThan": "97c5550b763171dbef61e6239cab372b9f9cd4a2",
              "status": "affected",
              "version": "4602e5757bcceb231c3a13c36c373ad4a750eddb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/mm/contpte.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.78",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.19",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.9",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults\n\ncontpte_ptep_set_access_flags() compared the gathered ptep_get() value\nagainst the requested entry to detect no-ops. ptep_get() ORs AF/dirty\nfrom all sub-PTEs in the CONT block, so a dirty sibling can make the\ntarget appear already-dirty. When the gathered value matches entry, the\nfunction returns 0 even though the target sub-PTE still has PTE_RDONLY\nset in hardware.\n\nFor a CPU with FEAT_HAFDBS this gathered view is fine, since hardware may\nset AF/dirty on any sub-PTE and CPU TLB behavior is effectively gathered\nacross the CONT range. But page-table walkers that evaluate each\ndescriptor individually (e.g. a CPU without DBM support, or an SMMU\nwithout HTTU, or with HA/HD disabled in CD.TCR) can keep faulting on the\nunchanged target sub-PTE, causing an infinite fault loop.\n\nGathering can therefore cause false no-ops when only a sibling has been\nupdated:\n - write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared)\n - read faults:  target still lacks PTE_AF\n\nFix by checking each sub-PTE against the requested AF/dirty/write state\n(the same bits consumed by __ptep_set_access_flags()), using raw\nper-PTE values rather than the gathered ptep_get() view, before\nreturning no-op. Keep using the raw target PTE for the write-bit unfold\ndecision.\n\nPer Arm ARM (DDI 0487) D8.7.1 (\"The Contiguous bit\"), any sub-PTE in a CONT\nrange may become the effective cached translation and software must\nmaintain consistent attributes across the range."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T15:08:32.085Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/05d239f2c95e66e27e7fb4e99ee07eb56e3e34b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f92a7a8b48a523f910ef25dd83808710724f59b"
        },
        {
          "url": "https://git.kernel.org/stable/c/09d620555e59768776090073a2c59d2bc8506eb3"
        },
        {
          "url": "https://git.kernel.org/stable/c/97c5550b763171dbef61e6239cab372b9f9cd4a2"
        }
      ],
      "title": "arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43486",
    "datePublished": "2026-05-13T15:08:32.085Z",
    "dateReserved": "2026-05-01T14:12:56.012Z",
    "dateUpdated": "2026-05-13T15:08:32.085Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43486",
      "date": "2026-05-27",
      "epss": "0.00023",
      "percentile": "0.0684"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43486\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-13T16:16:51.880\",\"lastModified\":\"2026-05-13T16:16:51.880\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\narm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults\\n\\ncontpte_ptep_set_access_flags() compared the gathered ptep_get() value\\nagainst the requested entry to detect no-ops. ptep_get() ORs AF/dirty\\nfrom all sub-PTEs in the CONT block, so a dirty sibling can make the\\ntarget appear already-dirty. When the gathered value matches entry, the\\nfunction returns 0 even though the target sub-PTE still has PTE_RDONLY\\nset in hardware.\\n\\nFor a CPU with FEAT_HAFDBS this gathered view is fine, since hardware may\\nset AF/dirty on any sub-PTE and CPU TLB behavior is effectively gathered\\nacross the CONT range. But page-table walkers that evaluate each\\ndescriptor individually (e.g. a CPU without DBM support, or an SMMU\\nwithout HTTU, or with HA/HD disabled in CD.TCR) can keep faulting on the\\nunchanged target sub-PTE, causing an infinite fault loop.\\n\\nGathering can therefore cause false no-ops when only a sibling has been\\nupdated:\\n - write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared)\\n - read faults:  target still lacks PTE_AF\\n\\nFix by checking each sub-PTE against the requested AF/dirty/write state\\n(the same bits consumed by __ptep_set_access_flags()), using raw\\nper-PTE values rather than the gathered ptep_get() view, before\\nreturning no-op. Keep using the raw target PTE for the write-bit unfold\\ndecision.\\n\\nPer Arm ARM (DDI 0487) D8.7.1 (\\\"The Contiguous bit\\\"), any sub-PTE in a CONT\\nrange may become the effective cached translation and software must\\nmaintain consistent attributes across the range.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/05d239f2c95e66e27e7fb4e99ee07eb56e3e34b0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/09d620555e59768776090073a2c59d2bc8506eb3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6f92a7a8b48a523f910ef25dd83808710724f59b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/97c5550b763171dbef61e6239cab372b9f9cd4a2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.