Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Local low-privileged trigger (AV:L/PR:L) of an explicitly unlikely race (AC:H); reliable impact is a kernel crash (A:H) with only conditional UAF-driven C/I exposure (C:L/I:L).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Avoid NULL pointer dereference or refcount corruption
Commit 60f030f7418d ("iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE") fixed a NULL pointer dereference in an unlikely situation partly.
If dev_pasid is not found in the dev_pasids list, it remains NULL. However, the teardown operations are executed unconditionally, this lead to a NULL pointer dereference or refcount corruption.
If the domain was never attached to this IOMMU, info will be NULL, which would cause an immediate dereference when checking --info->refcnt.
Even if info is not NULL, decrementing the refcount without having removed a valid PASID might unbalance the count. This could lead to premature dropping of the refcount to 0, potentially causing a use-after-free for the remaining active devices sharing the domain.
Fix it by returning early if dev_pasid is NULL, before executing the teardown operations.
Issue found by AI review and suggested by Kevin Tian. https://sashiko.dev/#/patchset/20260421031347.1408890-1-zhenzhong.duan%40intel.com
AnalysisAI
Local privilege escalation or denial of service in the Linux kernel's Intel VT-d IOMMU driver (iommu/vt-d) arises from incomplete handling of a missing dev_pasid entry during PASID teardown; an authenticated low-privileged actor able to drive IOMMU/PASID detach operations can trigger a NULL pointer dereference or unbalanced refcount that may decay into a use-after-free. This completes an earlier partial fix (commit 60f030f7418d) and is tagged as Denial of Service. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access with PR:L (authenticated, low privilege per the CVSS vector) on a host running the Intel VT-d IOMMU driver with PASID/dev_pasid teardown reachable - i.e., VT-d enabled and the attacker able to invoke an IOMMU domain detach/PASID-removal path for a domain that was never attached to that IOMMU (dev_pasid not present in the dev_pasids list). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals conflict and should be reconciled before prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local low-privileged user or a constrained workload that can drive device/PASID detach operations repeatedly races the IOMMU teardown path against a domain that was never attached to that IOMMU, causing a NULL pointer dereference that panics the host or, by unbalancing the refcount, frees a structure still in use by other devices sharing the domain. The immediate, reliable outcome is a kernel crash (denial of service); the use-after-free could in principle be groomed toward privilege escalation, but no public exploit or proof-of-concept is identified at time of analysis. |
| Remediation | Upstream fix available (stable commits), released patched version per stable tree metadata; apply your distribution's kernel update that incorporates commits 79ea2feb917b, 9022cb9ac0c2 or cdfe3c9f2c9e (git.kernel.org/stable/c/...), which add an early return when dev_pasid is NULL before any teardown operations. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory Linux systems with Intel VT-d IOMMU enabled (check via 'dmesg | grep iommu' or /sys/kernel/iommu_groups; common on virtualization hosts). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39886
GHSA-p9cf-q2gf-35mq