CVE-2026-52952
Analyzed Analyzed - Analysis Complete

Kernel IOMMU Domain Reset Use-After-Free

Vulnerability report for CVE-2026-52952, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-15

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset In __iommu_group_set_domain_internal(), concurrent domain attachments are rejected when any device in the group is recovering. This is necessary to fence concurrent attachments to a multi-device group where devices might share the same RID due to PCI DMA alias quirks, but triggers the WARN_ON in __iommu_group_set_domain_nofail(). Other IOMMU_SET_DOMAIN_MUST_SUCCEED callers in detach/teardown paths, such as __iommu_group_set_core_domain and __iommu_release_dma_ownership, should not be rejected, as the domain would be freed anyway in these nofail paths while group->domain is still pointing to it. So pci_dev_reset_iommu_done() could trigger a UAF when re-attaching group->domain. Honor the IOMMU_SET_DOMAIN_MUST_SUCCEED flag, allowing the callers through the group->recovery_cnt fence, so as to update the group->domain pointer. Instead add a gdev->blocked check in the device iteration loop, to prevent any concurrent per-device detachment.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 7.0 (inc) to 7.0.10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-825 The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's IOMMU subsystem, specifically related to the function __iommu_group_set_domain_nofail(). The issue arises when concurrent domain attachments are rejected during device group recovery, which triggers a warning (WARN_ON). This rejection is intended to prevent conflicts when devices share the same Requester ID (RID) due to PCI DMA alias quirks. However, this causes a problem where certain nofail paths that should not be rejected end up triggering a use-after-free (UAF) condition when re-attaching the domain pointer to the device group.

The fix involves honoring the IOMMU_SET_DOMAIN_MUST_SUCCEED flag to allow domain pointer updates during recovery, while adding a check to prevent concurrent per-device detachment. This prevents the UAF and the WARN_ON from occurring.

Impact Analysis

This vulnerability can lead to a use-after-free condition in the Linux kernel's IOMMU subsystem. Such a condition may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges by exploiting the improper handling of device domain attachments and detachments.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52952. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart