CVE-2026-23429 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

iommu/sva: Fix crash in iommu_sva_unbind_device()

domain->mm->iommu_mm can be freed by iommu_domain_free():
iommu_domain_free()
mmdrop()
__mmdrop()
mm_pasid_drop()
After iommu_domain_free() returns, accessing domain->mm->iommu_mm may
dereference a freed mm structure, leading to a crash.

Fix this by moving the code that accesses domain->mm->iommu_mm to before
the call to iommu_domain_free().

Published: 2026-04-03

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises in the Linux kernel's IOMMU subsystem, where freeing an IOMMU domain leaves a pointer to the domain's memory‑management structure dangling. Subsequent code accesses this freed structure, causing a null or invalid pointer dereference that results in a kernel crash. This can be triggered when a device is unbound from an IOMMU domain, leading to a denial of service because the entire system may panic.

Affected Systems

The flaw is limited to the Linux operating system kernel, particularly code paths that invoke iommu_sva_unbind_device(). No specific kernel release versions are enumerated in the advisory, so all kernels containing this code path without the applied fix are potentially impacted. Systems running a kernel that has not integrated the patch commit are vulnerable.

Risk and Exploitability

The severity is high because a kernel crash can terminate critical services or bring the host down. While the CVSS score is not provided, use‑after‑free weaknesses typically receive high scores. The exploit requires that an attacker can cause the unbinding operation, which is usually privileged. Therefore, the attack vector is local with kernel privileges. Because the exploit is not publicly documented and the EPSS score is unavailable, the likelihood of exploitation remains uncertain, but the impact warrants immediate mitigation. The vulnerability is not listed in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`9f0a7ab700f8620e433b05c57fbd26c92ea186d9`	affected	< 58abeb7b9562f25bdfa2f5ae5ce803eb02e74433
`e37d5a2d60a338c5917c45296bac65da1382eda5`	affected	< f5daaa2c959d9f894fb5b1ab76da8612dd220a0d
`e37d5a2d60a338c5917c45296bac65da1382eda5`	affected	< 06e14c36e20b48171df13d51b89fe67c594ed07a

Linux

affected

Version	Status	Constraints
`6.19`	affected	—
`0`	unaffected	< 6.19
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0-rc5`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[9f0a7ab700f8620e433b05c57fbd26c92ea186d9,58abeb7b9562f25bdfa2f5ae5ce803eb02e74433)`	affected	code_commit	—
`[e37d5a2d60a338c5917c45296bac65da1382eda5,f5daaa2c959d9f894fb5b1ab76da8612dd220a0d)`	affected	code_commit	—
`[e37d5a2d60a338c5917c45296bac65da1382eda5,06e14c36e20b48171df13d51b89fe67c594ed07a)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.19`	affected	semver	—
`[0,6.19)`	unaffected	semver	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0-rc5,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a version that contains the fix commit 06e14c36e20b48171df13d51b89fe67c594ed07a or newer.
Verify that the operating system does not invoke iommu_sva_unbind_device on device removal while the domain is still in use.
If a timely kernel update is not possible, avoid using devices or drivers that trigger this unbind path, or restrict privileged access to kernel operators to reduce the attack surface.

Generated by OpenCVE AI on April 3, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/06e14c36e20b48171df13d51b89fe67c594ed07a
https://git.kernel.org/stable/c/58abeb7b9562f25bdfa2f5ae5ce803eb02e74433
https://git.kernel.org/stable/c/f5daaa2c959d9f894fb5b1ab76da8612dd220a0d
https://lore.kernel.org/linux-cve-announce/2026040310-CVE-2026-23429-2f24@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23429
https://www.cve.org/CVERecord?id=CVE-2026-23429

History

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-364
References		https://lore.kernel.org/linux-cve-announce/2026040310-CVE-2026-23429-2f24@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23429 https://www.cve.org/CVERecord?id=CVE-2026-23429

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: iommu/sva: Fix crash in iommu_sva_unbind_device() domain->mm->iommu_mm can be freed by iommu_domain_free(): iommu_domain_free() mmdrop() __mmdrop() mm_pasid_drop() After iommu_domain_free() returns, accessing domain->mm->iommu_mm may dereference a freed mm structure, leading to a crash. Fix this by moving the code that accesses domain->mm->iommu_mm to before the call to iommu_domain_free().
Title		iommu/sva: Fix crash in iommu_sva_unbind_device()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/06e14c36e20b48171df13d51b89fe67c594ed07a https://git.kernel.org/stable/c/58abeb7b9562f25bdfa2f5ae5ce803eb02e74433 https://git.kernel.org/stable/c/f5daaa2c959d9f894fb5b1ab76da8612dd220a0d

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:15:15.856Z

Updated: 2026-04-03T15:15:15.856Z

Reserved: 2026-01-13T15:37:46.016Z

Link: CVE-2026-23429

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-03T16:16:24.210

Modified: 2026-04-03T16:16:24.210

Link: CVE-2026-23429

Redhat

Severity :

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23429 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-03T21:16:22Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object