CVE-2026-52952
Received Received - Intake
Kernel IOMMU Domain Reset Use-After-Free

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset In __iommu_group_set_domain_internal(), concurrent domain attachments are rejected when any device in the group is recovering. This is necessary to fence concurrent attachments to a multi-device group where devices might share the same RID due to PCI DMA alias quirks, but triggers the WARN_ON in __iommu_group_set_domain_nofail(). Other IOMMU_SET_DOMAIN_MUST_SUCCEED callers in detach/teardown paths, such as __iommu_group_set_core_domain and __iommu_release_dma_ownership, should not be rejected, as the domain would be freed anyway in these nofail paths while group->domain is still pointing to it. So pci_dev_reset_iommu_done() could trigger a UAF when re-attaching group->domain. Honor the IOMMU_SET_DOMAIN_MUST_SUCCEED flag, allowing the callers through the group->recovery_cnt fence, so as to update the group->domain pointer. Instead add a gdev->blocked check in the device iteration loop, to prevent any concurrent per-device detachment.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52952
EUVD
EUVD-2026-38820
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's IOMMU subsystem, specifically related to the function __iommu_group_set_domain_nofail(). The issue arises when concurrent domain attachments are rejected during device group recovery, which triggers a warning (WARN_ON). This rejection is intended to prevent conflicts when devices share the same Requester ID (RID) due to PCI DMA alias quirks. However, this causes a problem where certain nofail paths that should not be rejected end up triggering a use-after-free (UAF) condition when re-attaching the domain pointer to the device group.

The fix involves honoring the IOMMU_SET_DOMAIN_MUST_SUCCEED flag to allow domain pointer updates during recovery, while adding a check to prevent concurrent per-device detachment. This prevents the UAF and the WARN_ON from occurring.

Impact Analysis

This vulnerability can lead to a use-after-free condition in the Linux kernel's IOMMU subsystem. Such a condition may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges by exploiting the improper handling of device domain attachments and detachments.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52952. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart