Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Local-only race (AV:L/AC:H) reachable only with privileged device/VFIO control (PR:H); kernel UAF gives full C/I/A impact within the host, no cross-boundary scope change (S:U).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset
In __iommu_group_set_domain_internal(), concurrent domain attachments are rejected when any device in the group is recovering. This is necessary to fence concurrent attachments to a multi-device group where devices might share the same RID due to PCI DMA alias quirks, but triggers the WARN_ON in __iommu_group_set_domain_nofail().
Other IOMMU_SET_DOMAIN_MUST_SUCCEED callers in detach/teardown paths, such as __iommu_group_set_core_domain and __iommu_release_dma_ownership, should not be rejected, as the domain would be freed anyway in these nofail paths while group->domain is still pointing to it. So pci_dev_reset_iommu_done() could trigger a UAF when re-attaching group->domain.
Honor the IOMMU_SET_DOMAIN_MUST_SUCCEED flag, allowing the callers through the group->recovery_cnt fence, so as to update the group->domain pointer. Instead add a gdev->blocked check in the device iteration loop, to prevent any concurrent per-device detachment.
AnalysisAI
Use-after-free in the Linux kernel's IOMMU subsystem allows a local low-privileged actor with device-management access to corrupt kernel memory by racing a domain re-attach against an in-progress PCI device reset. The flaw lies in __iommu_group_set_domain_internal(), where the group->recovery_cnt fence wrongly rejected mandatory detach/teardown callers (IOMMU_SET_DOMAIN_MUST_SUCCEED), so group->domain could be freed while still referenced, and pci_dev_reset_iommu_done() could then re-attach the dangling pointer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access plus the ability to drive IOMMU domain attach/detach and PCI device reset - realistically VFIO/device-passthrough, PCI hotplug, or device-reset privileges. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, base 8.8) indicates a high-severity local issue, but the signals are mixed and should temper prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with device-management privileges (for example a tenant granted VFIO passthrough or PCI reset capability) repeatedly triggers a PCI device reset on a multi-device IOMMU group while concurrently forcing a domain detach/teardown, racing pci_dev_reset_iommu_done() into re-attaching an already-freed group->domain. Winning the race yields a kernel use-after-free that can corrupt memory for privilege escalation or denial of service. … |
| Remediation | Vendor-released patch: update to a fixed stable kernel, specifically 7.0.10 or 7.1, which include commits 8fc289e809f3eb7e36cadc4684ab6fad747a5a93 and 5474e6e17a262db45c60575c73f70210f5c7001f (https://git.kernel.org/stable/c/8fc289e809f3eb7e36cadc4684ab6fad747a5a93 and https://git.kernel.org/stable/c/5474e6e17a262db45c60575c73f70210f5c7001f); apply the corresponding distribution kernel update once available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Linux systems in production and non-production environments; identify those with IOMMU subsystem enabled and active local user populations; assess exposure by criticality tier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-825 – Expired Pointer Dereference
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38820
GHSA-xhhc-r2pj-8hh5