CVE-2026-45931 - Vulnerability Details

- accel/amdxdna: Hold mm structure across iommu_sva_unbind_device()

Description

In the Linux kernel, the following vulnerability has been resolved:

accel/amdxdna: Hold mm structure across iommu_sva_unbind_device()

Some tests trigger a crash in iommu_sva_unbind_device() due to
accessing iommu_mm after the associated mm structure has been
freed.

Fix this by taking an explicit reference to the mm structure
after successfully binding the device, and releasing it only
after the device is unbound. This ensures the mm remains valid
for the entire SVA bind/unbind lifetime.

Published: 2026-05-27

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s amdxdna driver contains a use‑after‑free flaw that is triggered during iommu_sva_unbind_device(). When a device is unbound, the code accesses an iommu_mm structure after the associated mm context has already been freed, leading to a kernel crash. This crash can cause a kernel panic and a system reboot, resulting in loss of availability for all services running on the affected system.

Affected Systems

The vulnerability is present in the linux_kernel across all releases that have not yet integrated commit a9162439. The affected code resides in the amdxdna acceleration subsystem, which is compiled into the generic Linux kernel. All kernel versions that lack the patch are vulnerable, regardless of distribution or configuration.

Risk and Exploitability

Exploitation requires a local, privileged user with the ability to trigger bind or unbind operations on an AMD XDNA device. Once such a user forces an unbind, the use‑after‑free will execute and crash the kernel. Remote exploitation is not documented. The EPSS score is less than 1%, indicating a low probability of real‑world exploitation that is also not listed in the CISA KEV catalog. Nevertheless, because the flaw leads to a kernel panic, its availability impact is significant if an attacker can attain the necessary privilege level.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`be462c97b7dfd24999babe39cce3de224ebe1f80`	affected	< f6b4c1d98a7b8040d4d02e89425b3942016a2c2c
`be462c97b7dfd24999babe39cce3de224ebe1f80`	affected	< f31ccf6278132a35a652fe5eeac3941e1e912398
`be462c97b7dfd24999babe39cce3de224ebe1f80`	affected	< a9162439ad792afcddc04718408ec1380b7a5f63

Linux

affected

Version	Status	Constraints
`6.14`	affected	—
`0`	unaffected	< 6.14
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[be462c97b7dfd24999babe39cce3de224ebe1f80,f6b4c1d98a7b8040d4d02e89425b3942016a2c2c)`	affected	code_commit	—
`[be462c97b7dfd24999babe39cce3de224ebe1f80,f31ccf6278132a35a652fe5eeac3941e1e912398)`	affected	code_commit	—
`[be462c97b7dfd24999babe39cce3de224ebe1f80,a9162439ad792afcddc04718408ec1380b7a5f63)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.14`	affected	generic	—
`[0,6.14)`	unaffected	generic	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a release that incorporates commit a9162439, which holds a reference to the mm structure until device unbinding completes.
If an upgrade cannot be performed immediately, unload or disable the amdxdna driver, or otherwise prevent the device from being unbound until the patch is applied.
Restrict bind and unbind operations to the least privileged users and audit access to the AMD XDNA device interface to prevent accidental or malicious crashes.

Generated by OpenCVE AI on May 30, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00173.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/a9162439ad792afcddc04718408ec1380b7a5f63
https://git.kernel.org/stable/c/f31ccf6278132a35a652fe5eeac3941e1e912398
https://git.kernel.org/stable/c/f6b4c1d98a7b8040d4d02e89425b3942016a2c2c
https://lore.kernel.org/linux-cve-announce/2026052727-CVE-2026-45931-e8b8@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45931
https://www.cve.org/CVERecord?id=CVE-2026-45931

History

Sat, 30 May 2026 11:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 28 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026052727-CVE-2026-45931-e8b8@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45931 https://www.cve.org/CVERecord?id=CVE-2026-45931

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Hold mm structure across iommu_sva_unbind_device() Some tests trigger a crash in iommu_sva_unbind_device() due to accessing iommu_mm after the associated mm structure has been freed. Fix this by taking an explicit reference to the mm structure after successfully binding the device, and releasing it only after the device is unbound. This ensures the mm remains valid for the entire SVA bind/unbind lifetime.
Title		accel/amdxdna: Hold mm structure across iommu_sva_unbind_device()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/a9162439ad792afcddc04718408ec1380b7a5f63 https://git.kernel.org/stable/c/f31ccf6278132a35a652fe5eeac3941e1e912398 https://git.kernel.org/stable/c/f6b4c1d98a7b8040d4d02e89425b3942016a2c2c

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:49.527Z

Updated: 2026-05-30T10:45:57.696Z

Reserved: 2026-05-13T15:03:33.086Z

Link: CVE-2026-45931

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:09.053

Modified: 2026-05-30T11:17:15.953

Link: CVE-2026-45931

Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45931 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-30T12:30:23Z

Weaknesses

CWE-825
Expired Pointer Dereference

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object