Impact
The Linux kernel’s iommu/vt‑d subsystem contains an out‑of‑scope memory access in domain_remove_dev_pasid. When a QEMU process is terminated, the function attempts to dereference a dummy domain that lacks an associated dmar_domain structure, causing a general protection fault triggered by a non‑canonical address. This out‑of‑bounds read corresponds to CWE‑125. The resulting kernel crash brings the system down, creating a denial‑of‑service condition.
Affected Systems
All Linux kernel releases 1e659db4, 88397fad, and a6dea58d are impacted. The kernel, and the advisory notes that any kernel prior to incorporating the aforementioned changes could crash when QEMU is force‑closed or when a dummy domain is present. No specific version range is listed, so any kernel lacking the patch is considered at risk.
Risk and Exploitability
The CVSS score of 7.1 and an EPSS below 1% suggest a modest baseline risk. The issue is not currently listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to interact with the iommu/vt‑d subsystem, typically requiring privileged or local access to trigger the faulty domain removal path—for example, by killing a QEMU process or forcing device hot‑unplug. External exploitation is unlikely unless the attacker can gain such access, but the availability impact is significant if the conditions are met.
OpenCVE Enrichment