{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23429", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.016Z", "datePublished": "2026-04-03T15:15:15.856Z", "dateUpdated": "2026-04-03T15:15:15.856Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:15:15.856Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/sva: Fix crash in iommu_sva_unbind_device()\n\ndomain->mm->iommu_mm can be freed by iommu_domain_free():\n iommu_domain_free()\n mmdrop()\n __mmdrop()\n mm_pasid_drop()\nAfter iommu_domain_free() returns, accessing domain->mm->iommu_mm may\ndereference a freed mm structure, leading to a crash.\n\nFix this by moving the code that accesses domain->mm->iommu_mm to before\nthe call to iommu_domain_free()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/iommu/iommu-sva.c"], "versions": [{"version": "9f0a7ab700f8620e433b05c57fbd26c92ea186d9", "lessThan": "58abeb7b9562f25bdfa2f5ae5ce803eb02e74433", "status": "affected", "versionType": "git"}, {"version": "e37d5a2d60a338c5917c45296bac65da1382eda5", "lessThan": "f5daaa2c959d9f894fb5b1ab76da8612dd220a0d", "status": "affected", "versionType": "git"}, {"version": "e37d5a2d60a338c5917c45296bac65da1382eda5", "lessThan": "06e14c36e20b48171df13d51b89fe67c594ed07a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/iommu/iommu-sva.c"], "versions": [{"version": "6.19", "status": "affected"}, {"version": "0", "lessThan": "6.19", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.7", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/58abeb7b9562f25bdfa2f5ae5ce803eb02e74433"}, {"url": "https://git.kernel.org/stable/c/f5daaa2c959d9f894fb5b1ab76da8612dd220a0d"}, {"url": "https://git.kernel.org/stable/c/06e14c36e20b48171df13d51b89fe67c594ed07a"}], "title": "iommu/sva: Fix crash in iommu_sva_unbind_device()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/sva: Fix crash in iommu_sva_unbind_device()\n\ndomain->mm->iommu_mm can be freed by iommu_domain_free():\n iommu_domain_free()\n mmdrop()\n __mmdrop()\n mm_pasid_drop()\nAfter iommu_domain_free() returns, accessing domain->mm->iommu_mm may\ndereference a freed mm structure, leading to a crash.\n\nFix this by moving the code that accesses domain->mm->iommu_mm to before\nthe call to iommu_domain_free()."}], "id": "CVE-2026-23429", "lastModified": "2026-04-03T16:16:24.210", "metrics": {}, "published": "2026-04-03T16:16:24.210", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/06e14c36e20b48171df13d51b89fe67c594ed07a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/58abeb7b9562f25bdfa2f5ae5ce803eb02e74433"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f5daaa2c959d9f894fb5b1ab76da8612dd220a0d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[9f0a7ab700f8620e433b05c57fbd26c92ea186d9,58abeb7b9562f25bdfa2f5ae5ce803eb02e74433)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e37d5a2d60a338c5917c45296bac65da1382eda5,f5daaa2c959d9f894fb5b1ab76da8612dd220a0d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e37d5a2d60a338c5917c45296bac65da1382eda5,06e14c36e20b48171df13d51b89fe67c594ed07a)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.19"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.19)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T18:29:16.906604+00:00", "value": {"mitigation_remediation": ["Update the kernel to a version that contains the fix commit 06e14c36e20b48171df13d51b89fe67c594ed07a or newer.", "Verify that the operating system does not invoke iommu_sva_unbind_device on device removal while the domain is still in use.", "If a timely kernel update is not possible, avoid using devices or drivers that trigger this unbind path, or restrict privileged access to kernel operators to reduce the attack surface."], "summary": {"action": "Apply Patch", "impact": "Denial of Service via kernel crash"}, "threat_synthesis": {"affected_systems": "The flaw is limited to the Linux operating system kernel, particularly code paths that invoke iommu_sva_unbind_device(). No specific kernel release versions are enumerated in the advisory, so all kernels containing this code path without the applied fix are potentially impacted. Systems running a kernel that has not integrated the patch commit are vulnerable.", "description_and_impact": "The vulnerability arises in the Linux kernel's IOMMU subsystem, where freeing an IOMMU domain leaves a pointer to the domain's memory\u2011management structure dangling. Subsequent code accesses this freed structure, causing a null or invalid pointer dereference that results in a kernel crash. This can be triggered when a device is unbound from an IOMMU domain, leading to a denial of service because the entire system may panic.", "risk_and_exploitability": "The severity is high because a kernel crash can terminate critical services or bring the host down. While the CVSS score is not provided, use\u2011after\u2011free weaknesses typically receive high scores. The exploit requires that an attacker can cause the unbinding operation, which is usually privileged. Therefore, the attack vector is local with kernel privileges. Because the exploit is not publicly documented and the EPSS score is unavailable, the likelihood of exploitation remains uncertain, but the impact warrants immediate mitigation. The vulnerability is not listed in the CISA KEV catalog."}}}}, "created": "2026-04-03T21:14:08.943491+00:00", "updated": "2026-04-03T21:16:22.480589+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-416"]}