CVE-2026-23429
Received Received - Intake
Use-After-Free Vulnerability in Linux Kernel iommu_sva Causes Crash

Publication date: 2026-04-03

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: iommu/sva: Fix crash in iommu_sva_unbind_device() domain->mm->iommu_mm can be freed by iommu_domain_free(): iommu_domain_free() mmdrop() __mmdrop() mm_pasid_drop() After iommu_domain_free() returns, accessing domain->mm->iommu_mm may dereference a freed mm structure, leading to a crash. Fix this by moving the code that accesses domain->mm->iommu_mm to before the call to iommu_domain_free().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23429
EUVD
EUVD-2026-18664
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 6.19
linux linux_kernel From 6.18.7 (inc) to 6.18.20 (exc)
linux linux_kernel From 6.19.1 (inc) to 6.19.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's iommu/sva component. It involves a crash caused by accessing a freed memory structure. Specifically, after the function iommu_domain_free() is called, the code still tries to access domain->mm->iommu_mm, which may have already been freed. This leads to a dereference of a freed memory structure and causes the system to crash.

The fix involves moving the code that accesses domain->mm->iommu_mm to before the call to iommu_domain_free(), preventing access to freed memory.

Impact Analysis

This vulnerability can cause the Linux kernel to crash due to accessing freed memory. Such crashes can lead to system instability, unexpected reboots, or denial of service conditions, potentially disrupting normal operations on affected systems.

Mitigation Strategies

The vulnerability is caused by accessing a freed mm structure after iommu_domain_free() returns, leading to a crash.

To mitigate this vulnerability, ensure that the Linux kernel is updated with the fix that moves the code accessing domain->mm->iommu_mm to before the call to iommu_domain_free().

Applying the official patch or updating to a kernel version that includes this fix is the immediate recommended step.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23429. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart