HIGH
iommu SVA UAF
CVE-2026-23429
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.7MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: iommu/sva: Fix crash in iommu_sva_unbind_device() domain->mm->iommu_mm can be freed by iommu_domain_free(): iommu_domain_free() mmdrop() __mmdrop() mm_pasid_drop() After iommu_domain_free() returns, accessing domain->mm->iommu_mm may dereference a freed mm structure, leading to a crash. Fix this by moving the code that accesses domain->mm->iommu_mm to before the call to iommu_domain_free().
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in the IOMMU Shared Virtual Addressing subsystem allows privileged local attackers to cause kernel crashes or potentially execute arbitrary code. The bug occurs when unbinding SVA devices, where freed memory structures are accessed after being released.
Vulnerability analysis
The vulnerability stems from incorrect ordering in iommu_sva_unbind_device() where domain->mm->iommu_mm is accessed after iommu_domain_free() has potentially freed the underlying mm structure through the mmdrop() → __mmdrop() → mm_pasid_drop() call chain. The fix reorders operations to ensure all accesses to the mm structure occur before the domain is freed. This requires local access with IOMMU domain manipulation privileges, typically CAP_SYS_ADMIN, and hardware with SVA support.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.20 | 58abeb7b9562 |
| 6.19 | 6.19.10 | f5daaa2c959d |
| mainline | 7.0 | 06e14c36e20b |