Skip to main content

Linux Kernel EUVDEUVD-2026-39886

| CVE-2026-53281 HIGH
NULL Pointer Dereference (CWE-476)
2026-06-26 Linux GHSA-p9cf-q2gf-35mq
8.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
5.8 MEDIUM

Local low-privileged trigger (AV:L/PR:L) of an explicitly unlikely race (AC:H); reliable impact is a kernel crash (A:H) with only conditional UAF-driven C/I exposure (C:L/I:L).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:52 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.8 (HIGH)
Patch available
Jun 26, 2026 - 21:02 EUVD
CVE Published
Jun 26, 2026 - 19:40 cve.org
HIGH 8.8
CVE Published
Jun 26, 2026 - 19:40 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Avoid NULL pointer dereference or refcount corruption

Commit 60f030f7418d ("iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE") fixed a NULL pointer dereference in an unlikely situation partly.

If dev_pasid is not found in the dev_pasids list, it remains NULL. However, the teardown operations are executed unconditionally, this lead to a NULL pointer dereference or refcount corruption.

If the domain was never attached to this IOMMU, info will be NULL, which would cause an immediate dereference when checking --info->refcnt.

Even if info is not NULL, decrementing the refcount without having removed a valid PASID might unbalance the count. This could lead to premature dropping of the refcount to 0, potentially causing a use-after-free for the remaining active devices sharing the domain.

Fix it by returning early if dev_pasid is NULL, before executing the teardown operations.

Issue found by AI review and suggested by Kevin Tian. https://sashiko.dev/#/patchset/20260421031347.1408890-1-zhenzhong.duan%40intel.com

AnalysisAI

Local privilege escalation or denial of service in the Linux kernel's Intel VT-d IOMMU driver (iommu/vt-d) arises from incomplete handling of a missing dev_pasid entry during PASID teardown; an authenticated low-privileged actor able to drive IOMMU/PASID detach operations can trigger a NULL pointer dereference or unbalanced refcount that may decay into a use-after-free. This completes an earlier partial fix (commit 60f030f7418d) and is tagged as Denial of Service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local low-privileged access
Delivery
Invoke IOMMU/PASID detach on unattached domain
Exploit
dev_pasid lookup returns NULL
Execution
Teardown dereferences NULL or underflows refcount
Persist
Kernel panic or use-after-free
Impact
Denial of service or potential privilege escalation

Vulnerability AssessmentAI

Exploitation Exploitation requires local access with PR:L (authenticated, low privilege per the CVSS vector) on a host running the Intel VT-d IOMMU driver with PASID/dev_pasid teardown reachable - i.e., VT-d enabled and the attacker able to invoke an IOMMU domain detach/PASID-removal path for a domain that was never attached to that IOMMU (dev_pasid not present in the dev_pasids list). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict and should be reconciled before prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local low-privileged user or a constrained workload that can drive device/PASID detach operations repeatedly races the IOMMU teardown path against a domain that was never attached to that IOMMU, causing a NULL pointer dereference that panics the host or, by unbalancing the refcount, frees a structure still in use by other devices sharing the domain. The immediate, reliable outcome is a kernel crash (denial of service); the use-after-free could in principle be groomed toward privilege escalation, but no public exploit or proof-of-concept is identified at time of analysis.
Remediation Upstream fix available (stable commits), released patched version per stable tree metadata; apply your distribution's kernel update that incorporates commits 79ea2feb917b, 9022cb9ac0c2 or cdfe3c9f2c9e (git.kernel.org/stable/c/...), which add an early return when dev_pasid is NULL before any teardown operations. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory Linux systems with Intel VT-d IOMMU enabled (check via 'dmesg | grep iommu' or /sys/kernel/iommu_groups; common on virtualization hosts). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39886 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy