Description
In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Avoid NULL pointer dereference or refcount corruption

Commit 60f030f7418d ("iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE")
fixed a NULL pointer dereference in an unlikely situation partly.

If dev_pasid is not found in the dev_pasids list, it remains NULL.
However, the teardown operations are executed unconditionally, this lead
to a NULL pointer dereference or refcount corruption.

If the domain was never attached to this IOMMU, info will be NULL, which
would cause an immediate dereference when checking --info->refcnt.

Even if info is not NULL, decrementing the refcount without having removed
a valid PASID might unbalance the count. This could lead to premature
dropping of the refcount to 0, potentially causing a use-after-free for the
remaining active devices sharing the domain.

Fix it by returning early if dev_pasid is NULL, before executing the
teardown operations.

Issue found by AI review and suggested by Kevin Tian.
https://sashiko.dev/#/patchset/20260421031347.1408890-1-zhenzhong.duan%40intel.com
Published: 2026-06-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel’s iommu/vt-d subsystem a flaw was discovered where the teardown logic accesses a NULL dev_pasid pointer (CWE-476) or incorrectly decrements a reference count (CWE-416). A missing PASID can cause a null-pointer dereference or corrupt the refcount, potentially triggering a use-after-free of the domain object. The result can be a kernel panic or other denial‑of‑service condition for all devices sharing that domain. The likely attack vector requires the attacker to have control over the iommu/vt-d subsystem, such as through a user‑space program with suitable privileges or by manipulating passthrough device settings.

Affected Systems

The flaw affects the Linux kernel, specifically any configuration that enables the iommu/vt-d interface. No specific version range is listed by the CNA; the fix was applied by commit 60f030f7418d. Users of the affected kernel branch must ensure they run a version that includes this commit.

Risk and Exploitability

The CVSS score is 8.8 and the EPSS score is <1%, indicating a high‑severity flaw with a very low probability of exploitation. The vulnerability is a local kernel flaw that requires attacker control over the iommu/vt-d subsystem to trigger the faulty teardown code. The KEV status indicates it is not currently listed as a known exploited vulnerability, thus exploitation risk appears to be low.

Generated by OpenCVE AI on June 28, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy a kernel release that includes commit 60f030f7418d, which adds an early return for NULL dev_pasid before teardown.
  • If upgrading is not possible, disable iommu/vt-d or limit the usage of passthrough devices to prevent the fault from being triggered.
  • Apply strict isolation for passthrough devices and monitor for IOMMU‑related errors or consider alternative virtualization that does not use iommu/vt-d.

Generated by OpenCVE AI on June 28, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 00:45:00 +0000


Sun, 28 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-476

Sun, 28 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-476

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Fri, 26 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-476

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Avoid NULL pointer dereference or refcount corruption Commit 60f030f7418d ("iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE") fixed a NULL pointer dereference in an unlikely situation partly. If dev_pasid is not found in the dev_pasids list, it remains NULL. However, the teardown operations are executed unconditionally, this lead to a NULL pointer dereference or refcount corruption. If the domain was never attached to this IOMMU, info will be NULL, which would cause an immediate dereference when checking --info->refcnt. Even if info is not NULL, decrementing the refcount without having removed a valid PASID might unbalance the count. This could lead to premature dropping of the refcount to 0, potentially causing a use-after-free for the remaining active devices sharing the domain. Fix it by returning early if dev_pasid is NULL, before executing the teardown operations. Issue found by AI review and suggested by Kevin Tian. https://sashiko.dev/#/patchset/20260421031347.1408890-1-zhenzhong.duan%40intel.com
Title iommu/vt-d: Avoid NULL pointer dereference or refcount corruption
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-15T00:44:23.738Z

Reserved: 2026-06-09T07:44:35.396Z

Link: CVE-2026-53281

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-26T00:00:00Z

Links: CVE-2026-53281 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:30:06Z

Weaknesses