Cyber Resilience

CVE-2026-23361

High

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23361 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23361 is a race condition vulnerability in the Linux kernel's PCI DesignWare (DWC) endpoint subsystem, specifically affecting the dw_pcie_ep_raise_msix_irq() function used by endpoint drivers to raise MSI-X interrupts to the host. The issue arises because the function performs a writel() operation, which generates a PCI posted write without completion acknowledgment, and then unmaps the outbound Address Translation Unit (ATU) entry. If the write does not complete before the unmap, it can result in host memory corruption or IOMMU errors, such as those observed with nvmet-pci-epf under high queue depths in fio testing. The vulnerability is classified under CWE-787 (Out-of-bounds Write) with a CVSS v3.1 base score of 7.8.

Exploitation requires local access (AV:L) with low privileges (PR:L) on the endpoint system running the vulnerable Linux kernel, with no user interaction needed (UI:N) and unsynchronized scope (S:U). An attacker could trigger the vulnerable code path in an endpoint driver, such as during MSI-X interrupt generation, causing the race condition. Successful exploitation could lead to high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), including arbitrary host memory corruption or IOMMU faults that disrupt host operations.

Kernel patches addressing the vulnerability, available in stable branches via commits such as 6f60a783860c, a7afb8f810c0, c22533c66cca, and eaa6a56801dd, mitigate the issue by flushing the MSI-X write with a readl() of the same address before unmapping the ATU entry. This ensures the posted write completes before the unmap, preventing the race. A similar problem in dw_pcie_ep_raise_msi_irq() was previously resolved by dedicating an iATU mapping, but MSI-X requires dynamic handling due to per-vector msg_addr variations. Security practitioners should update affected Linux kernels to incorporate these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry Endpoint drivers use dw_pcie_ep_raise_msix_irq() to raise an MSI-X interrupt to the host using a writel(), which generates a PCI…

more

posted write transaction. There's no completion for posted writes, so the writel() may return before the PCI write completes. dw_pcie_ep_raise_msix_irq() also unmaps the outbound ATU entry used for the PCI write, so the write races with the unmap. If the PCI write loses the race with the ATU unmap, the write may corrupt host memory or cause IOMMU errors, e.g., these when running fio with a larger queue depth against nvmet-pci-epf: arm-smmu-v3 fc900000.iommu: 0x0000010000000010 arm-smmu-v3 fc900000.iommu: 0x0000020000000000 arm-smmu-v3 fc900000.iommu: 0x000000090000f040 arm-smmu-v3 fc900000.iommu: 0x0000000000000000 arm-smmu-v3 fc900000.iommu: event: F_TRANSLATION client: 0000:01:00.0 sid: 0x100 ssid: 0x0 iova: 0x90000f040 ipa: 0x0 arm-smmu-v3 fc900000.iommu: unpriv data write s1 "Input address caused fault" stag: 0x0 Flush the write by performing a readl() of the same address to ensure that the write has reached the destination before the ATU entry is unmapped. The same problem was solved for dw_pcie_ep_raise_msi_irq() in commit 8719c64e76bf ("PCI: dwc: ep: Cache MSI outbound iATU mapping"), but there it was solved by dedicating an outbound iATU only for MSI. We can't do the same for MSI-X because each vector can have a different msg_addr and the msg_addr may be changed while the vector is masked. [bhelgaas: commit log]

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel race condition enabling out-of-bounds write and arbitrary memory corruption from low privileges, directly facilitating privilege escalation on affected systems.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel
CVE-2026-23343Same product: Linux Linux Kernel
CVE-2026-23092Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.19, 7.0 · 4.19.1 — 6.12.77 · 6.13 — 6.18.17 · 6.19 — 6.19.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the race condition vulnerability by requiring timely application of kernel patches that flush the MSI-X posted write before ATU unmapping.

prevent

Identifies the presence of CVE-2026-23361 in vulnerable Linux kernel versions through regular vulnerability scanning, enabling remediation.

detect

Monitors system activity to detect indicators of exploitation such as IOMMU faults and host memory corruption errors from the race condition.

References