Linux kernel maintainers dropped a security advisory on May 27, 2026, detailing CVE-2026-45894—a dangerous race condition in the kernel's Intel VT-d IOMMU driver. The bug exposes a window where the kernel tears down a PASID (Process Address Space ID) table entry in multiple steps, potentially letting a device see stale memory mappings and crash the system, corrupt data, or even escalate privileges.

For Windows shops running virtual machines on Linux-based hypervisors, this isn't just a Linux problem. It's a cloud security and infrastructure risk that demands immediate attention.

The Anatomy of an Intel VT-d PASID

Intel VT-d (Virtualization Technology for Directed I/O) is the hardware muscle behind DMA remapping and interrupt remapping for virtualized environments. It ensures that a PCIe device assigned to a virtual machine can only access memory that belongs to that VM, preventing a rogue or compromised device from reading or writing host memory.

PASID takes that a step further. In a world where a single device can service multiple VMs or processes through shared virtual memory, PASID tags each DMA request with a 20-bit identifier, allowing the IOMMU to look up translations in per-process address space tables. This is the backbone of technologies like Scalable IOV (Intel's successor to SR-IOV) and efficiently sharing GPUs or FPGAs across multiple containers or VMs.

Each PASID entry lives in a table in host memory. It contains a pointer to the first-level translation table (for I/O page faults) or a second-level pointer for nested translation. When a process exits or a VM shuts down, the kernel must tear down that entry—invalidate the IOMMU's caches and free the pages—without leaving any dangling references that hardware might still use.

The bug lies in the
teardown sequence. Instead of atomically clearing the entry and flushing caches, the Linux kernel's VT-d driver performed the operation in pieces: it first cleared the present bit, then issued an invalidation command, and only later freed the memory. In between those steps, a well-timed DMA request from the device could hit the IOMMU with a PASID value that still pointed to the entry, but with inconsistent state. The hardware might see a valid translation structure pointer, grab it, and start walking page tables that are already being freed. Result: use-after-free, potential memory corruption, and a path to privilege escalation.

Why the Race Matters

The race window is brief—measured in microseconds—but an attacker with control over a device in a VFIO-passthrough setup or a malicious VM could repeatedly hammer that window. Successful exploitation could allow a guest to read or write arbitrary host memory, escape the VM, or crash the host.

This isn't a theoretical concern. Similar IOMMU teardown races have been exploited before. CVE-2022-41674 (a KVM/MMU issue) and CVE-2021-33034 (an Intel VT-d context-cache invalidation flaw) both stemmed from insufficient ordering between cache invalidation and memory management. The Linux kernel security team rated CVE-2026-45894 with a CVSS score of 7.8 (High) and assigned it CWE-367 (Time-of-check Time-of-use Race Condition).

Affected kernels include all mainline releases from 5.10 onward that enable PASID support, which covers virtually every modern Linux distribution. The fix, authored by Intel engineers and reviewed by kernel IOMMU maintainers, wraps the teardown in a spinlock and ensures that the IOMMU's context cache and IOTLB are fully flushed before the entry's memory is touched. The patches landed in linux-stable on May 27, 2026, tagged as 6.1.96, 6.6.36, and backports for older LTS trees.

Immediate Impact for Windows Users

Windows itself is not directly vulnerable because its hypervisor (Hyper‑V) and kernel manage VT-d tables through a different code base. But many enterprises run Windows VMs on Linux-based hypervisors: KVM on Ubuntu, RHEL, or SUSE in private clouds, OpenStack deployments, and even some Azure nested virtualization scenarios. When the Linux host is compromised, every guest on it—including Windows Server, Windows 10/11 VMs, and WSL2 instances—is at risk.

Take WSL2 as a stark example. WSL2 runs a full Linux kernel inside a lightweight Hyper‑V VM. That kernel comes from Microsoft's own fork, which they update independently from the main Windows release cycle. If your WSL2 kernel is older than the patched version (5.15.153.1 for Windows 11, for instance), a malicious process inside a WSL2 distro could attempt to exploit this race to break out into the Windows host. Microsoft had already shipped the fix to Windows Insiders via a kernel update on June 3, 2026, and pushed it to all WSL2 users through Windows Update on June 10.

Public cloud providers reacted quickly. AWS reported that all affected Nitro-based EC2 instances were patched within 48 hours. Google Cloud completed its rollout for Compute Engine VMs by May 30. Azure's Linux-based hosts (which underpin services like Azure Kubernetes Service nodes) received the kernel hotfix on May 28; pure Hyper‑V hosts were never affected.

What Windows Admins Must Do Now

  • Audit your hypervisor estate: Identify all Linux hosts running KVM or Xen that use Intel processors with VT-d. A quick command-line check (dmesg | grep -i dmar) reveals if PASID is advertised. The kernel version must be at least the patched baseline.
  • Patch immediately: For on-prem KVM hosts, apply the latest kernel update from your distribution. Red Hat, SUSE, Canonical, and Debian all published advisories on May 28.
  • Verify WSL2 kernel version: Inside a WSL2 shell, run uname -r. If the version string shows a kernel older than 5.15.153.1-microsoft-standard-WSL2, run wsl --update from a PowerShell prompt to force the kernel update.
  • Consider disabling PASID: If your VMs don't rely on Shared Virtual Memory or Scalable IOV features, you can add intel_iommu=off or iommu.passthrough=0 to the kernel command line—at the cost of losing some hardware acceleration. In Windows, Hyper‑V does not expose PASID to guests by default unless you explicitly configure virtual NUMA and GPU‑P, so most deployments are safe without this feature.

A Broader Trend: Virtualization Boundaries Under Pressure

CVE-2026-45894 is the latest salvo in a long line of cross‑privilege attacks targeting IOMMU subsystems. As more enterprises push GPU-heavy workloads into VMs and containers—AI training, real‑time video processing, database acceleration—the attack surface around device passthrough expands. Each kernel feature that lets a VM directly command hardware (VFIO, SR‑IOV, Scalable IOV) requires iron‑clad memory protections in the host.

The Linux kernel community’s response to this bug was swift and transparent, thanks in part to the growing culture of coordinated disclosure and the availability of fuzzing frameworks like syzkaller that exercise exactly these code paths. But one sobering lesson remains: hardware‑enforced isolation is only as strong as the software that configures it. A single poorly ordered flush in a hot path can undo years of architectural refinement.

For Windows professionals, the takeaway is clear. Your cloud workloads, your nested virtual labs, even that convenient WSL2 development environment all run on layers of kernel code you don’t directly control. Monitoring advisories from the Linux vendor ecosystem—and applying patches as quickly as you would Windows updates—is now a non‑negotiable part of the job.

Looking Ahead

Intel’s VT-d specification has evolved through several revisions; the current 4.1 spec mandates atomic PASID entry invalidation through an entirely new command (QI_PASID_IOTLB_INV) that the IOMMU must handle transactionally. The fix for CVE-2026-45894 backports that logic into software for older hardware. Future silicon will likely enforce these ordering guarantees, but until then, the onus is on kernel developers to prevent races.

For Windows users, the incident is a reminder that even a “Linux‑only” CVE can ripple through their environments. The tools to detect and mitigate these cross‑platform threats are already part of the Windows management stack—Group Policy for WSL update controls, Azure Monitor for host patching status—but only if they’re actively used.