VYPR
← All advisories
High severity7.8NVD Advisory· Published Apr 3, 2026· Updated Apr 27, 2026

CVE-2026-23429

CVE-2026-23429

Description

In the Linux kernel, the following vulnerability has been resolved:

iommu/sva: Fix crash in iommu_sva_unbind_device()

domain->mm->iommu_mm can be freed by iommu_domain_free(): iommu_domain_free() mmdrop() __mmdrop() mm_pasid_drop() After iommu_domain_free() returns, accessing domain->mm->iommu_mm may dereference a freed mm structure, leading to a crash.

Fix this by moving the code that accesses domain->mm->iommu_mm to before the call to iommu_domain_free().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free vulnerability in Linux kernel's iommu_sva_unbind_device() causes a crash when domain->mm->iommu_mm is accessed after being freed.

Vulnerability

Description

In the Linux kernel's IOMMU subsystem for Shared Virtual Addressing (SVA), a use-after-free bug exists in the iommu_sva_unbind_device() function. The issue arises because domain->mm->iommu_mm can be freed by iommu_domain_free() before it is accessed after that call. This leads to a dereference of a freed mm structure, causing a kernel crash.

Exploitation

An attacker with local access and the ability to trigger device unbinding can exploit this vulnerability. The attack path involves invoking iommu_sva_unbind_device() which calls iommu_domain_free(). After that function returns, the subsequent access to domain->mm->iommu_mm reads freed memory. No special privileges are required beyond being able to unbind an SVA device, which may be available to unprivileged users depending on system configuration.

Impact

Successful exploitation results in a kernel crash (denial of service). Under certain conditions, this use-after-free could potentially be leveraged for privilege escalation, though the primary impact documented is a system crash.

Mitigation

The fix, applied in the Linux kernel stable branches, moves the access to domain->mm->iommu_mm to before the call to iommu_domain_free(), preventing the use-after-free condition [1]. Users should update to a kernel version containing the patch (e.g., commits 58abeb7b9562, 06e14c36e20b, or f5daaa2c959d).

References
  1. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

10
  • Linux/Kernel9 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.18.7,<6.18.20
    • cpe:2.3:o:linux:linux_kernel:6.19:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
  • Linux/Linux Kernel Rtllm-fuzzy

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.