Home

Description

In the Linux kernel, the following vulnerability has been resolved: iommu/sva: Fix crash in iommu_sva_unbind_device() domain->mm->iommu_mm can be freed by iommu_domain_free(): iommu_domain_free() mmdrop() __mmdrop() mm_pasid_drop() After iommu_domain_free() returns, accessing domain->mm->iommu_mm may dereference a freed mm structure, leading to a crash. Fix this by moving the code that accesses domain->mm->iommu_mm to before the call to iommu_domain_free().

PUBLISHED Reserved 2026-01-13 | Published 2026-04-03 | Updated 2026-05-23 | Assigner Linux




HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Product status

Default status
unaffected

9f0a7ab700f8620e433b05c57fbd26c92ea186d9 (git) before 58abeb7b9562f25bdfa2f5ae5ce803eb02e74433
affected

e37d5a2d60a338c5917c45296bac65da1382eda5 (git) before f5daaa2c959d9f894fb5b1ab76da8612dd220a0d
affected

e37d5a2d60a338c5917c45296bac65da1382eda5 (git) before 06e14c36e20b48171df13d51b89fe67c594ed07a
affected

6.18.7 (semver) before 6.18.20
affected

Default status
affected

6.19
affected

Any version before 6.19
unaffected

6.18.20 (semver)
unaffected

6.19.10 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/58abeb7b9562f25bdfa2f5ae5ce803eb02e74433

git.kernel.org/...c/f5daaa2c959d9f894fb5b1ab76da8612dd220a0d

git.kernel.org/...c/06e14c36e20b48171df13d51b89fe67c594ed07a

cve.org (CVE-2026-23429)

nvd.nist.gov (CVE-2026-23429)

Download JSON