Description
In the Linux kernel, the following vulnerability has been resolved:

iommu/sva: Fix crash in iommu_sva_unbind_device()

domain->mm->iommu_mm can be freed by iommu_domain_free():
iommu_domain_free()
mmdrop()
__mmdrop()
mm_pasid_drop()
After iommu_domain_free() returns, accessing domain->mm->iommu_mm may
dereference a freed mm structure, leading to a crash.

Fix this by moving the code that accesses domain->mm->iommu_mm to before
the call to iommu_domain_free().
Published: 2026-04-03
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (Kernel Crash)
Action: Patch
AI Analysis

Impact

A use‑after‑free occurs in the Linux kernel when iommu_sva_unbind_device() accesses a freed mm structure after iommu_domain_free() has released domain->mm->iommu_mm. This results in a kernel crash. The vulnerability is purely a denial‑of‑service issue that compromises system availability.

Affected Systems

The flaw affects the Linux kernel, specifically any distribution that employs the iommu/sva IOMMU implementation. No particular vendor versions are identified in the data, so all kernels that include the vulnerable code path are potentially affected until the fix is applied.

Risk and Exploitability

The reported CVSS score of 7.8 and an EPSS score of less than 1% indicate a high severity but very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require local kernel access, as a remote attacker would need to inject code into kernel space to trigger the crash. The intrinsic nature of the bug means that exploitation would lead to a hard reboot or crash rather than data exfiltration or privilege escalation.

Generated by OpenCVE AI on April 28, 2026 at 16:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the iommu_sva_unbind_device() fix (commit 06e14c36e20b).
  • After updating, restart any services that unbind IOMMU devices, such as VFIO or libvirt, to ensure they operate with the new kernel.
  • If a kernel update cannot be applied immediately, disable IOMMU during boot by adding the 'iommu=off' parameter to the kernel command line and reboot the system.

Generated by OpenCVE AI on April 28, 2026 at 16:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.19:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iommu/sva: Fix crash in iommu_sva_unbind_device() domain->mm->iommu_mm can be freed by iommu_domain_free(): iommu_domain_free() mmdrop() __mmdrop() mm_pasid_drop() After iommu_domain_free() returns, accessing domain->mm->iommu_mm may dereference a freed mm structure, leading to a crash. Fix this by moving the code that accesses domain->mm->iommu_mm to before the call to iommu_domain_free().
Title iommu/sva: Fix crash in iommu_sva_unbind_device()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:06:44.212Z

Reserved: 2026-01-13T15:37:46.016Z

Link: CVE-2026-23429

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-04-03T16:16:24.210

Modified: 2026-04-27T14:16:32.353

Link: CVE-2026-23429

cve-icon Redhat

Severity :

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23429 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:45:06Z

Weaknesses