CVE-2026-23361
Published: 25 March 2026
Summary
CVE-2026-23361 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-23361 is a race condition vulnerability in the Linux kernel's PCI DesignWare (DWC) endpoint subsystem, specifically affecting the dw_pcie_ep_raise_msix_irq() function used by endpoint drivers to raise MSI-X interrupts to the host. The issue arises because the function performs a writel() operation, which generates a PCI posted write without completion acknowledgment, and then unmaps the outbound Address Translation Unit (ATU) entry. If the write does not complete before the unmap, it can result in host memory corruption or IOMMU errors, such as those observed with nvmet-pci-epf under high queue depths in fio testing. The vulnerability is classified under CWE-787 (Out-of-bounds Write) with a CVSS v3.1 base score of 7.8.
Exploitation requires local access (AV:L) with low privileges (PR:L) on the endpoint system running the vulnerable Linux kernel, with no user interaction needed (UI:N) and unsynchronized scope (S:U). An attacker could trigger the vulnerable code path in an endpoint driver, such as during MSI-X interrupt generation, causing the race condition. Successful exploitation could lead to high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), including arbitrary host memory corruption or IOMMU faults that disrupt host operations.
Kernel patches addressing the vulnerability, available in stable branches via commits such as 6f60a783860c, a7afb8f810c0, c22533c66cca, and eaa6a56801dd, mitigate the issue by flushing the MSI-X write with a readl() of the same address before unmapping the ATU entry. This ensures the posted write completes before the unmap, preventing the race. A similar problem in dw_pcie_ep_raise_msi_irq() was previously resolved by dedicating an iATU mapping, but MSI-X requires dynamic handling due to per-vector msg_addr variations. Security practitioners should update affected Linux kernels to incorporate these fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15340
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry Endpoint drivers use dw_pcie_ep_raise_msix_irq() to raise an MSI-X interrupt to the host using a writel(), which generates a PCI…
more
posted write transaction. There's no completion for posted writes, so the writel() may return before the PCI write completes. dw_pcie_ep_raise_msix_irq() also unmaps the outbound ATU entry used for the PCI write, so the write races with the unmap. If the PCI write loses the race with the ATU unmap, the write may corrupt host memory or cause IOMMU errors, e.g., these when running fio with a larger queue depth against nvmet-pci-epf: arm-smmu-v3 fc900000.iommu: 0x0000010000000010 arm-smmu-v3 fc900000.iommu: 0x0000020000000000 arm-smmu-v3 fc900000.iommu: 0x000000090000f040 arm-smmu-v3 fc900000.iommu: 0x0000000000000000 arm-smmu-v3 fc900000.iommu: event: F_TRANSLATION client: 0000:01:00.0 sid: 0x100 ssid: 0x0 iova: 0x90000f040 ipa: 0x0 arm-smmu-v3 fc900000.iommu: unpriv data write s1 "Input address caused fault" stag: 0x0 Flush the write by performing a readl() of the same address to ensure that the write has reached the destination before the ATU entry is unmapped. The same problem was solved for dw_pcie_ep_raise_msi_irq() in commit 8719c64e76bf ("PCI: dwc: ep: Cache MSI outbound iATU mapping"), but there it was solved by dedicating an outbound iATU only for MSI. We can't do the same for MSI-X because each vector can have a different msg_addr and the msg_addr may be changed while the vector is masked. [bhelgaas: commit log]
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel race condition enabling out-of-bounds write and arbitrary memory corruption from low privileges, directly facilitating privilege escalation on affected systems.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the race condition vulnerability by requiring timely application of kernel patches that flush the MSI-X posted write before ATU unmapping.
Identifies the presence of CVE-2026-23361 in vulnerable Linux kernel versions through regular vulnerability scanning, enabling remediation.
Monitors system activity to detect indicators of exploitation such as IOMMU faults and host memory corruption errors from the race condition.