Skip to main content

Linux Kernel CVE-2026-45931

| EUVDEUVD-2026-32215 HIGH
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-gfc2-582g-3757
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 30, 2026 - 11:28 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

accel/amdxdna: Hold mm structure across iommu_sva_unbind_device()

Some tests trigger a crash in iommu_sva_unbind_device() due to accessing iommu_mm after the associated mm structure has been freed.

Fix this by taking an explicit reference to the mm structure after successfully binding the device, and releasing it only after the device is unbound. This ensures the mm remains valid for the entire SVA bind/unbind lifetime.

AnalysisAI

Local privilege escalation or denial-of-service in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) arises from a use-after-free of the mm structure during iommu_sva_unbind_device(). The driver previously released the mm reference before unbinding, allowing iommu_mm access on freed memory. No public exploit identified at time of analysis and EPSS scores this at 0.02% (4th percentile), indicating very low expected exploitation activity in the near term.

Technical ContextAI

The bug lives in the AMD XDNA accelerator subsystem (drivers/accel/amdxdna), which provides kernel-side support for AMD's AI/ML NPU hardware on Ryzen AI platforms. The driver uses IOMMU Shared Virtual Addressing (SVA) so the accelerator can directly access a user process's address space; iommu_sva_bind_device() and iommu_sva_unbind_device() manage that binding. The root cause is a lifetime/refcount mismatch (use-after-free class, akin to CWE-416): the driver did not hold a reference on the mm_struct across the bind/unbind window, so if the owning process's mm was torn down first, the subsequent iommu_sva_unbind_device() dereferenced an already-freed iommu_mm field. The fix takes an explicit mmgrab-style reference after a successful bind and drops it only after unbind.

RemediationAI

Upgrade to a Linux kernel that includes the fix: stable 6.18.14, stable 6.19.4, or any later mainline release containing commits a9162439, f31ccf62, and f6b4c1d9 (see https://git.kernel.org/stable/c/a9162439ad792afcddc04718408ec1380b7a5f63, https://git.kernel.org/stable/c/f31ccf6278132a35a652fe5eeac3941e1e912398, and https://git.kernel.org/stable/c/f6b4c1d98a7b8040d4d02e89425b3942016a2c2c) - distribution kernels should pick up the backport via vendor security updates. If patching must be deferred, the most direct compensating control is to prevent the vulnerable code path from being reachable: blacklist or unload the amdxdna module (modprobe -r amdxdna; echo 'blacklist amdxdna' > /etc/modprobe.d/amdxdna.conf), which disables NPU acceleration for AI workloads as a side effect. Where unloading is not acceptable, tighten DAC/ACLs on the /dev/accel/accel* character devices so only trusted service accounts can open the accelerator, reducing the local attack surface at the cost of breaking unprivileged AI/ML tooling that relies on the NPU.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-45931 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy