CVE-2026-23429 Overview
CVE-2026-23429 is a use-after-free vulnerability in the Linux kernel's IOMMU Shared Virtual Addressing (SVA) subsystem. The flaw resides in iommu_sva_unbind_device(), where the code dereferences domain->mm->iommu_mm after iommu_domain_free() has already released the underlying memory descriptor through mmdrop() and mm_pasid_drop(). A local, low-privileged user can trigger the dangling pointer access, producing kernel memory corruption and a system crash. The defect affects Linux kernel 6.19 and 7.0 release candidates rc1 through rc7. Patches landed in the upstream stable tree under commits 06e14c36, 58abeb7b, and f5daaa2c.
Critical Impact
Local attackers with access to IOMMU SVA-enabled devices can trigger a kernel use-after-free, causing denial of service through host crashes.
Affected Products
- Linux Kernel 6.19
- Linux Kernel 7.0-rc1 through 7.0-rc7
- Distributions shipping mainline IOMMU SVA support on these kernel versions
Discovery Timeline
- 2026-04-03 - CVE-2026-23429 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-23429
Vulnerability Analysis
The Linux IOMMU SVA subsystem lets devices share a process's virtual address space using PASIDs (Process Address Space IDs). When a device unbinds from a process, iommu_sva_unbind_device() tears down the binding and releases the associated IOMMU domain.
The defect is an ordering bug. iommu_domain_free() invokes mmdrop(), which calls __mmdrop() and mm_pasid_drop(), releasing the mm_struct and its embedded iommu_mm state. After iommu_domain_free() returns, the existing code path still references domain->mm->iommu_mm, dereferencing freed memory. The result is a classic use-after-free condition reachable from kernel control flow tied to device unbind.
The upstream fix reorders the function so any read of domain->mm->iommu_mm occurs before the call to iommu_domain_free(), eliminating the dangling reference.
Root Cause
The root cause is incorrect lifetime management of the mm_struct referenced by an IOMMU SVA domain. The kernel frees the mm through mmdrop() inside iommu_domain_free() while the caller continues to assume the pointer remains valid. This violates the implicit contract that domain->mm outlives operations on domain.
Attack Vector
The attack vector is local. An attacker requires the ability to interact with a process or device that uses IOMMU SVA bindings, typically through a userspace driver interface such as VFIO, uacce, or an accelerator framework that issues bind and unbind operations. Repeated unbind operations under controlled timing can deterministically hit the freed iommu_mm access, crashing the kernel. The CVSS vector indicates no impact to confidentiality or integrity, but high impact to availability.
No public proof-of-concept exploit is currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-23429
Indicators of Compromise
- Kernel oops or panic stack traces containing iommu_sva_unbind_device, iommu_domain_free, mmdrop, or mm_pasid_drop frames.
- KASAN reports flagging use-after-free reads on an mm_struct or iommu_mm object during SVA teardown.
- Unexpected host reboots on systems exposing IOMMU SVA-enabled accelerators to unprivileged workloads.
Detection Strategies
- Enable CONFIG_KASAN on test kernels to surface the use-after-free at the moment of access rather than at a later crash site.
- Audit running kernel versions against the affected range (6.19 and 7.0-rc1 through 7.0-rc7) using uname -r inventories collected centrally.
- Correlate kernel.log, dmesg, and crash dump telemetry for repeated faults tied to SVA unbind paths on the same host.
Monitoring Recommendations
- Ship dmesg and /var/log/kern.log to a centralized log platform and alert on oops signatures referencing iommu_sva symbols.
- Track unplanned reboots and kernel panic frequency per host group to identify clustered exploitation attempts.
- Inventory hosts exposing VFIO, uacce, or vendor SVA interfaces to non-root workloads and prioritize them for patching.
How to Mitigate CVE-2026-23429
Immediate Actions Required
- Upgrade to a kernel that includes commits 06e14c36, 58abeb7b, or f5daaa2c from the upstream stable tree.
- On systems that cannot be patched immediately, restrict access to IOMMU SVA-capable device interfaces to trusted administrators only.
- Rebuild and redeploy custom kernels (6.19, 7.0-rc) that vendor IOMMU SVA support with the upstream fix backported.
Patch Information
The vulnerability is fixed upstream by reordering iommu_sva_unbind_device() so that domain->mm->iommu_mm is captured before iommu_domain_free() is called. Apply one of the following commits depending on the target branch: Kernel Git Commit 06e14c36, Kernel Git Commit 58abeb7b, and Kernel Git Commit f5daaa2c.
Workarounds
- Disable IOMMU SVA at boot by removing or not enabling the relevant SVA/PASID kernel options where workloads do not require shared virtual addressing.
- Revoke unprivileged access to character devices that expose SVA bind/unbind operations, such as nodes under /dev/uacce/ or VFIO group nodes.
- Avoid deploying 7.0 release candidate kernels in production until a stable release containing the fix is available.
# Verify running kernel version and check for affected range
uname -r
# Restrict access to uacce and VFIO device nodes (example)
chmod 0600 /dev/vfio/vfio
find /dev/uacce -maxdepth 1 -type c -exec chmod 0600 {} \;
# After patching, confirm the fix commit is present in the source tree
git -C /usr/src/linux log --oneline | grep -E '06e14c36|58abeb7b|f5daaa2c'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
