CVE-2026-23429 - Vulnerability Details

- iommu/sva: Fix crash in iommu_sva_unbind_device()

Description

In the Linux kernel, the following vulnerability has been resolved:

iommu/sva: Fix crash in iommu_sva_unbind_device()

domain->mm->iommu_mm can be freed by iommu_domain_free():
iommu_domain_free()
mmdrop()
__mmdrop()
mm_pasid_drop()
After iommu_domain_free() returns, accessing domain->mm->iommu_mm may
dereference a freed mm structure, leading to a crash.

Fix this by moving the code that accesses domain->mm->iommu_mm to before
the call to iommu_domain_free().

Published: 2026-04-03

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A use‑after‑free occurs in the Linux kernel when iommu_sva_unbind_device() accesses a freed mm structure after iommu_domain_free() has released domain->mm->iommu_mm. This results in a kernel crash. The vulnerability is purely a denial‑of‑service issue that compromises system availability.

Affected Systems

The flaw affects the Linux kernel, specifically any distribution that employs the iommu/sva IOMMU implementation. No particular vendor versions are identified in the data, so all kernels that include the vulnerable code path are potentially affected until the fix is applied.

Risk and Exploitability

The reported EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a very low probability of exploitation in the wild. The issue would require local kernel access, as a remote attacker would need to inject code into kernel space to trigger the crash. The intrinsic nature of the bug means that exploitation would lead to a hard reboot or crash rather than data exfiltration or privilege escalation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`9f0a7ab700f8620e433b05c57fbd26c92ea186d9`	affected	< 58abeb7b9562f25bdfa2f5ae5ce803eb02e74433
`e37d5a2d60a338c5917c45296bac65da1382eda5`	affected	< f5daaa2c959d9f894fb5b1ab76da8612dd220a0d
`e37d5a2d60a338c5917c45296bac65da1382eda5`	affected	< 06e14c36e20b48171df13d51b89fe67c594ed07a

Linux

affected

Version	Status	Constraints
`6.19`	affected	—
`0`	unaffected	< 6.19
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.19:-::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[9f0a7ab700f8620e433b05c57fbd26c92ea186d9,58abeb7b9562f25bdfa2f5ae5ce803eb02e74433)`	affected	code_commit	—
`[e37d5a2d60a338c5917c45296bac65da1382eda5,f5daaa2c959d9f894fb5b1ab76da8612dd220a0d)`	affected	code_commit	—
`[e37d5a2d60a338c5917c45296bac65da1382eda5,06e14c36e20b48171df13d51b89fe67c594ed07a)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.19`	affected	semver	—
`[0,6.19)`	unaffected	semver	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0-rc5,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that incorporates the iommu_sva_unbind_device() fix

Generated by OpenCVE AI on April 7, 2026 at 09:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/06e14c36e20b48171df13d51b89fe67c594ed07a
https://git.kernel.org/stable/c/58abeb7b9562f25bdfa2f5ae5ce803eb02e74433
https://git.kernel.org/stable/c/f5daaa2c959d9f894fb5b1ab76da8612dd220a0d
https://lore.kernel.org/linux-cve-announce/2026040310-CVE-2026-23429-2f24@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23429
https://www.cve.org/CVERecord?id=CVE-2026-23429

History

Thu, 23 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:6.19:-:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Tue, 07 Apr 2026 08:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-364
References		https://lore.kernel.org/linux-cve-announce/2026040310-CVE-2026-23429-2f24@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23429 https://www.cve.org/CVERecord?id=CVE-2026-23429

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: iommu/sva: Fix crash in iommu_sva_unbind_device() domain->mm->iommu_mm can be freed by iommu_domain_free(): iommu_domain_free() mmdrop() __mmdrop() mm_pasid_drop() After iommu_domain_free() returns, accessing domain->mm->iommu_mm may dereference a freed mm structure, leading to a crash. Fix this by moving the code that accesses domain->mm->iommu_mm to before the call to iommu_domain_free().
Title		iommu/sva: Fix crash in iommu_sva_unbind_device()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/06e14c36e20b48171df13d51b89fe67c594ed07a https://git.kernel.org/stable/c/58abeb7b9562f25bdfa2f5ae5ce803eb02e74433 https://git.kernel.org/stable/c/f5daaa2c959d9f894fb5b1ab76da8612dd220a0d

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:15:15.856Z

Updated: 2026-04-13T06:07:16.928Z

Reserved: 2026-01-13T15:37:46.016Z

Link: CVE-2026-23429

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-03T16:16:24.210

Modified: 2026-04-23T21:03:47.160

Link: CVE-2026-23429

Redhat

Severity :

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23429 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-08T19:54:09Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object