Description
In the Linux kernel, the following vulnerability has been resolved:

iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset

In __iommu_group_set_domain_internal(), concurrent domain attachments are
rejected when any device in the group is recovering. This is necessary to
fence concurrent attachments to a multi-device group where devices might
share the same RID due to PCI DMA alias quirks, but triggers the WARN_ON in
__iommu_group_set_domain_nofail().

Other IOMMU_SET_DOMAIN_MUST_SUCCEED callers in detach/teardown paths, such
as __iommu_group_set_core_domain and __iommu_release_dma_ownership, should
not be rejected, as the domain would be freed anyway in these nofail paths
while group->domain is still pointing to it. So pci_dev_reset_iommu_done()
could trigger a UAF when re-attaching group->domain.

Honor the IOMMU_SET_DOMAIN_MUST_SUCCEED flag, allowing the callers through
the group->recovery_cnt fence, so as to update the group->domain pointer.
Instead add a gdev->blocked check in the device iteration loop, to prevent
any concurrent per-device detachment.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s IOMMU subsystem can trigger a WARN_ON in __iommu_group_set_domain_nofail() during device reset. If a device in a multi‑device group recovers concurrently, the group’s domain pointer may be used after it has been freed, creating a use‑after‑free condition that could allow memory corruption. The description indicates that the failure could lead to a use‑after‑free when re‑attaching the domain after a reset, which potentially permits an attacker controlling device reset operations to manipulate memory. The potential impact is privilege escalation.

Affected Systems

The flaw resides in the core Linux kernel IOMMU code and therefore applies to any Linux installation that has not applied the upstream fix referenced in the commit logs. The affected product is the Linux kernel from the Linux vendor; specific version details are not provided.

Risk and Exploitability

No CVSS or EPSS score is available and the vulnerability is not listed in CISA KEV, suggesting a moderate exploitation likelihood. The attack would require local or privileged access to trigger device resets and manipulate IOMMU domain assignments, which may be feasible on systems with poorly secured device interfaces. Because the bug leads to a use‑after‑free, exploitation could result in arbitrary code execution or privilege escalation within the kernel context. The exact attack vector is inferred from the description and not confirmed by any public exploit.

Generated by OpenCVE AI on June 24, 2026 at 19:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the commit fixing the race condition and use‑after‑free
  • If an update is not immediately possible, apply the patch directly from the provided commit references to the IOMMU subsystem
  • Verify that IOMMU support is enabled and that device reset handling is configured to respect the updated domain logic

Generated by OpenCVE AI on June 24, 2026 at 19:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset In __iommu_group_set_domain_internal(), concurrent domain attachments are rejected when any device in the group is recovering. This is necessary to fence concurrent attachments to a multi-device group where devices might share the same RID due to PCI DMA alias quirks, but triggers the WARN_ON in __iommu_group_set_domain_nofail(). Other IOMMU_SET_DOMAIN_MUST_SUCCEED callers in detach/teardown paths, such as __iommu_group_set_core_domain and __iommu_release_dma_ownership, should not be rejected, as the domain would be freed anyway in these nofail paths while group->domain is still pointing to it. So pci_dev_reset_iommu_done() could trigger a UAF when re-attaching group->domain. Honor the IOMMU_SET_DOMAIN_MUST_SUCCEED flag, allowing the callers through the group->recovery_cnt fence, so as to update the group->domain pointer. Instead add a gdev->blocked check in the device iteration loop, to prevent any concurrent per-device detachment.
Title iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:28:35.247Z

Reserved: 2026-06-09T07:44:35.372Z

Link: CVE-2026-52952

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T19:15:15Z

Weaknesses