Description
In the Linux kernel, the following vulnerability has been resolved:

iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset

In __iommu_group_set_domain_internal(), concurrent domain attachments are
rejected when any device in the group is recovering. This is necessary to
fence concurrent attachments to a multi-device group where devices might
share the same RID due to PCI DMA alias quirks, but triggers the WARN_ON in
__iommu_group_set_domain_nofail().

Other IOMMU_SET_DOMAIN_MUST_SUCCEED callers in detach/teardown paths, such
as __iommu_group_set_core_domain and __iommu_release_dma_ownership, should
not be rejected, as the domain would be freed anyway in these nofail paths
while group->domain is still pointing to it. So pci_dev_reset_iommu_done()
could trigger a UAF when re-attaching group->domain.

Honor the IOMMU_SET_DOMAIN_MUST_SUCCEED flag, allowing the callers through
the group->recovery_cnt fence, so as to update the group->domain pointer.
Instead add a gdev->blocked check in the device iteration loop, to prevent
any concurrent per-device detachment.
Published: 2026-06-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel’s IOMMU subsystem. During device reset, a concurrent attachment to an IOMMU group can trigger a WARN_ON in __iommu_group_set_domain_nofail(), causing the group’s domain pointer to be used after it has been freed, resulting in an unchecked use‑after‑free. This flaw could allow a local attacker with the ability to trigger or observe device reset operations to corrupt kernel memory and potentially achieve arbitrary code execution or privilege escalation.

Affected Systems

The issue affects any system running a version of the Linux kernel that has not applied the upstream fix referenced by the commit logs. It applies to all Linux kernel builds, including those used in desktop, server, and embedded environments. As the vulnerability is in core kernel code, no specific distribution version is singled out; all installations that have not yet incorporated the patch are potentially affected.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability, and the EPSS score of <1% suggests a low probability of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector involves local or privileged actions that trigger device resets, which would need to occur before the kernel recovers. Because the bug requires such privileged access, the risk is limited to systems where an attacker can attain these privileges, and the narrow exploitation window reduces the real‑world threat.

Generated by OpenCVE AI on June 28, 2026 at 13:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that incorporates the upstream fix for CVE‑2026‑52952, as indicated by the commit hashes in the advisory.
  • If an update cannot be applied immediately, cherry‑pick or otherwise apply the specific patches from the referenced commits to the local kernel source tree and rebuild.
  • As a temporary mitigation, disable or restrict IOMMU reset handling for devices until the kernel is updated, ensuring that device resets do not trigger concurrent group domain operations.
  • Monitor vendor advisories and apply any additional patches as they become available.

Generated by OpenCVE AI on June 28, 2026 at 13:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Sat, 27 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset In __iommu_group_set_domain_internal(), concurrent domain attachments are rejected when any device in the group is recovering. This is necessary to fence concurrent attachments to a multi-device group where devices might share the same RID due to PCI DMA alias quirks, but triggers the WARN_ON in __iommu_group_set_domain_nofail(). Other IOMMU_SET_DOMAIN_MUST_SUCCEED callers in detach/teardown paths, such as __iommu_group_set_core_domain and __iommu_release_dma_ownership, should not be rejected, as the domain would be freed anyway in these nofail paths while group->domain is still pointing to it. So pci_dev_reset_iommu_done() could trigger a UAF when re-attaching group->domain. Honor the IOMMU_SET_DOMAIN_MUST_SUCCEED flag, allowing the callers through the group->recovery_cnt fence, so as to update the group->domain pointer. Instead add a gdev->blocked check in the device iteration loop, to prevent any concurrent per-device detachment.
Title iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-30T12:09:44.280Z

Reserved: 2026-06-09T07:44:35.372Z

Link: CVE-2026-52952

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52952 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:00:21Z

Weaknesses
  • CWE-825

    Expired Pointer Dereference