Skip to main content

Linux CVE-2026-23429

| EUVDEUVD-2026-18664 HIGH
2026-04-03 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
Severity Changed
Apr 27, 2026 - 14:22 NVD
MEDIUM HIGH
CVSS changed
Apr 27, 2026 - 14:22 NVD
5.5 (MEDIUM) 7.8 (HIGH)
CVSS changed
Apr 23, 2026 - 21:11 NVD
5.5 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
58abeb7b9562f25bdfa2f5ae5ce803eb02e74433,06e14c36e20b48171df13d51b89fe67c594ed07a
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18664
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

iommu/sva: Fix crash in iommu_sva_unbind_device()

domain->mm->iommu_mm can be freed by iommu_domain_free(): iommu_domain_free() mmdrop() __mmdrop() mm_pasid_drop() After iommu_domain_free() returns, accessing domain->mm->iommu_mm may dereference a freed mm structure, leading to a crash.

Fix this by moving the code that accesses domain->mm->iommu_mm to before the call to iommu_domain_free().

AnalysisAI

Linux kernel crashes in iommu_sva_unbind_device() when accessing a freed mm structure after iommu_domain_free() deallocates domain->mm->iommu_mm, causing denial of service on systems using IOMMU Shared Virtual Addressing (SVA). The fix reorders code to access the structure before the domain is freed. No CVSS score, EPSS, or KEV status available; no public exploit code identified.

Technical ContextAI

The vulnerability exists in the Linux kernel's IOMMU (Input/Output Memory Management Unit) Shared Virtual Addressing (SVA) subsystem, specifically in the unbind device path. SVA allows devices to access process virtual address spaces directly. The root cause is a use-after-free condition in iommu_sva_unbind_device(): the function accesses domain->mm->iommu_mm after iommu_domain_free() has already freed the memory management structure through the call chain iommu_domain_free() → mmdrop() → __mmdrop() → mm_pasid_drop(). This violates memory safety principles and results in dereferencing freed heap memory. The fix is a simple code reordering that moves access to domain->mm->iommu_mm to occur before the iommu_domain_free() call, ensuring the pointer remains valid.

RemediationAI

Apply the upstream fix by updating to a Linux kernel version containing one of the three commits: 58abeb7b9562f25bdfa2f5ae5ce803eb02e74433, f5daaa2c959d9f894fb5b1ab76da8612dd220a0d, or 06e14c36e20b48171df13d51b89fe67c594ed07a from the stable kernel tree. These commits reorder the iommu_sva_unbind_device() code to access domain->mm->iommu_mm before calling iommu_domain_free(). Kernel maintainers should backport the fix to all stable kernel branches in use. No workaround is available; kernel upgrade is required. Verify SVA functionality after patching to confirm no regressions in IOMMU SVA device binding and unbinding.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23429 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy