CVE-2026-45931 - Vulnerability Details

- accel/amdxdna: Hold mm structure across iommu_sva_unbind_device()

Description

In the Linux kernel, the following vulnerability has been resolved:

accel/amdxdna: Hold mm structure across iommu_sva_unbind_device()

Some tests trigger a crash in iommu_sva_unbind_device() due to
accessing iommu_mm after the associated mm structure has been
freed.

Fix this by taking an explicit reference to the mm structure
after successfully binding the device, and releasing it only
after the device is unbound. This ensures the mm remains valid
for the entire SVA bind/unbind lifetime.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a use‑after‑free in the Linux kernel’s amdxdna driver that occurs during the iommu_sva_unbind_device() operation. When a device is unbound, the code accesses an iommu_mm structure after the corresponding mm context has already been freed, causing a kernel crash. The crash can lead to a kernel panic and a system reboot, resulting in loss of availability for all running services.

Affected Systems

The flaw exists in the Linux kernel’s amdxdna acceleration subsystem. Any kernel version that contains the unaffected commit before the patch is vulnerable; the data does not specify a particular version range, so all kernels prior to the inclusion of the fix are affected.

Risk and Exploitability

Exploitation requires a local, privileged user who can trigger bind or unbind operations on an AMD XDNA device. Once such a user can cause an unbind, the use‑after‑free will execute and crash the kernel. No remote exploitation method is documented, and the EPSS score is unavailable. The vulnerability is not listed in CISA KEV, but because the crash results in a kernel panic the risk to availability is high.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`be462c97b7dfd24999babe39cce3de224ebe1f80`	affected	< f6b4c1d98a7b8040d4d02e89425b3942016a2c2c
`be462c97b7dfd24999babe39cce3de224ebe1f80`	affected	< f31ccf6278132a35a652fe5eeac3941e1e912398
`be462c97b7dfd24999babe39cce3de224ebe1f80`	affected	< a9162439ad792afcddc04718408ec1380b7a5f63

Linux

affected

Version	Status	Constraints
`6.14`	affected	—
`0`	unaffected	< 6.14
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[be462c97b7dfd24999babe39cce3de224ebe1f80,f6b4c1d98a7b8040d4d02e89425b3942016a2c2c)`	affected	code_commit	—
`[be462c97b7dfd24999babe39cce3de224ebe1f80,f31ccf6278132a35a652fe5eeac3941e1e912398)`	affected	code_commit	—
`[be462c97b7dfd24999babe39cce3de224ebe1f80,a9162439ad792afcddc04718408ec1380b7a5f63)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.14`	affected	generic	—
`[0,6.14)`	unaffected	generic	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a release that incorporates the commit a9162439 that fixes the use‑after‑free by holding a reference to the mm structure until device unbinding is complete.
If an upgrade cannot be performed immediately, unload or disable the amdxdna driver, or otherwise prevent the device from being unbound until the patch is applied.
Restrict bind and unbind operations to the least privileged users and audit access to the AMD XDNA device interface to avoid accidental or malicious crashes.

Generated by OpenCVE AI on May 27, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/a9162439ad792afcddc04718408ec1380b7a5f63
https://git.kernel.org/stable/c/f31ccf6278132a35a652fe5eeac3941e1e912398
https://git.kernel.org/stable/c/f6b4c1d98a7b8040d4d02e89425b3942016a2c2c

History

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Hold mm structure across iommu_sva_unbind_device() Some tests trigger a crash in iommu_sva_unbind_device() due to accessing iommu_mm after the associated mm structure has been freed. Fix this by taking an explicit reference to the mm structure after successfully binding the device, and releasing it only after the device is unbound. This ensures the mm remains valid for the entire SVA bind/unbind lifetime.
Title		accel/amdxdna: Hold mm structure across iommu_sva_unbind_device()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/a9162439ad792afcddc04718408ec1380b7a5f63 https://git.kernel.org/stable/c/f31ccf6278132a35a652fe5eeac3941e1e912398 https://git.kernel.org/stable/c/f6b4c1d98a7b8040d4d02e89425b3942016a2c2c

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:49.527Z

Updated: 2026-05-27T12:17:49.527Z

Reserved: 2026-05-13T15:03:33.086Z

Link: CVE-2026-45931

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:09.053

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45931

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T21:45:43Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object