CVE-2026-53281
Received Received - Intake
NULL Pointer Dereference in Linux Kernel IOMMU/vt-d

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Avoid NULL pointer dereference or refcount corruption Commit 60f030f7418d ("iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE") fixed a NULL pointer dereference in an unlikely situation partly. If dev_pasid is not found in the dev_pasids list, it remains NULL. However, the teardown operations are executed unconditionally, this lead to a NULL pointer dereference or refcount corruption. If the domain was never attached to this IOMMU, info will be NULL, which would cause an immediate dereference when checking --info->refcnt. Even if info is not NULL, decrementing the refcount without having removed a valid PASID might unbalance the count. This could lead to premature dropping of the refcount to 0, potentially causing a use-after-free for the remaining active devices sharing the domain. Fix it by returning early if dev_pasid is NULL, before executing the teardown operations. Issue found by AI review and suggested by Kevin Tian. https://sashiko.dev/#/patchset/20260421031347.1408890-1-zhenzhong.duan%40intel.com
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-53281
EUVD
EUVD-2026-39886
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's iommu/vt-d component and involves a NULL pointer dereference or reference count corruption.

Specifically, if a device PASID (Process Address Space ID) is not found in the dev_pasids list, it remains NULL. However, teardown operations are executed unconditionally, which can lead to dereferencing a NULL pointer or corrupting the reference count.

If the domain was never attached to the IOMMU, the info pointer will be NULL, causing an immediate NULL pointer dereference when checking info->refcnt.

Even if info is not NULL, decrementing the reference count without removing a valid PASID can unbalance the count, potentially causing premature dropping of the refcount to zero and leading to use-after-free issues for devices sharing the domain.

The fix involves returning early if dev_pasid is NULL before executing teardown operations to avoid these issues.

Mitigation Strategies

The vulnerability is fixed by a patch that avoids NULL pointer dereference or refcount corruption in the iommu/vt-d component of the Linux kernel.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes the fix from commit 60f030f7418d, which returns early if dev_pasid is NULL before executing teardown operations.

Impact Analysis

This vulnerability can cause system instability or crashes due to NULL pointer dereference.

It can also lead to reference count corruption, which might cause use-after-free conditions affecting devices sharing the same domain.

Such use-after-free issues can potentially be exploited to cause unexpected behavior or security risks in the system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53281. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart