Skip to main content

Linux Kernel EUVDEUVD-2026-38925

| CVE-2026-53057 HIGH
2026-06-24 Linux GHSA-fjm2-575q-p7vq
8.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local low-priv operator drives DDT/PDT remaps (AV:L/PR:L); exploiting stale cached translations is a timing/race window so AC:H; IOMMU isolation breach crosses domains so S:C with high C/I/A.

3.1 AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:00 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:30 cve.org
HIGH 8.8
CVE Published
Jun 24, 2026 - 16:30 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

iommu/riscv: Add IOTINVAL after updating DDT/PDT entries

Add riscv_iommu_iodir_iotinval() to perform required TLB and context cache invalidations after updating DDT or PDT entries, as mandated by the RISC-V IOMMU specification (Section 6.3.1 and 6.3.2).

AnalysisAI

Privilege/isolation bypass in the Linux kernel RISC-V IOMMU driver allows a local low-privileged actor to leverage stale address translations because the driver failed to issue mandatory TLB and context-cache invalidations (IOTINVAL) after updating Device Directory Table (DDT) or Page Directory Table (PDT) entries. Affecting RISC-V platforms running kernels prior to the stable fixes (6.18.33, 7.0.10, 7.1), the gap can let a device or its controlling principal access memory outside its intended IOMMU domain, breaking DMA isolation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local low-privileged access on RISC-V host
Delivery
Trigger DDT/PDT remap via device attach/detach
Exploit
IOMMU reuses stale cached translation
Execution
Issue DMA to out-of-domain memory
Impact
Read or corrupt cross-domain/host memory

Vulnerability AssessmentAI

Exploitation Exploitation requires a RISC-V platform with the kernel RISC-V IOMMU driver active and a workflow that updates DDT or PDT entries - i.e., device attach/detach, domain reattachment, or PASID/PDT context changes such as those exercised by VFIO/PCIe-passthrough. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a RISC-V host using IOMMU-based device passthrough, a local low-privileged operator (or a guest controlling an assigned device) triggers a sequence of device attach/detach or address-space remap operations, then relies on the IOMMU continuing to honor stale cached DDT/PDT translations to issue DMA against memory that should no longer be reachable. The result is reading residual or cross-domain memory (information disclosure) or corrupting it, breaking IOMMU isolation. …
Remediation Apply the vendor-released stable kernel fixes: upgrade to Linux 6.18.33, 7.0.10, or 7.1 (or backport the three upstream fix commits 3f917d9b, d99d1c13, and f5c262b5 from https://git.kernel.org/stable/c/ ) which add riscv_iommu_iodir_iotinval() to invalidate caches after DDT/PDT updates. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all RISC-V systems running Linux and document current kernel versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38925 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy