The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23429

CVE-2026-23429: Linux Kernel Use-After-Free Vulnerability

CVE-2026-23429 is a use-after-free flaw in the Linux Kernel's IOMMU subsystem that can cause system crashes. This article covers the technical details, affected versions, security impact, and mitigation strategies.

Updated: May 16, 2026

CVE-2026-23429 Overview

CVE-2026-23429 is a use-after-free vulnerability in the Linux kernel's IOMMU Shared Virtual Addressing (SVA) subsystem. The flaw resides in iommu_sva_unbind_device(), where the code dereferences domain->mm->iommu_mm after iommu_domain_free() has already released the underlying memory descriptor through mmdrop() and mm_pasid_drop(). A local, low-privileged user can trigger the dangling pointer access, producing kernel memory corruption and a system crash. The defect affects Linux kernel 6.19 and 7.0 release candidates rc1 through rc7. Patches landed in the upstream stable tree under commits 06e14c36, 58abeb7b, and f5daaa2c.

Critical Impact

Local attackers with access to IOMMU SVA-enabled devices can trigger a kernel use-after-free, causing denial of service through host crashes.

Affected Products

  • Linux Kernel 6.19
  • Linux Kernel 7.0-rc1 through 7.0-rc7
  • Distributions shipping mainline IOMMU SVA support on these kernel versions

Discovery Timeline

  • 2026-04-03 - CVE-2026-23429 published to NVD
  • 2026-04-27 - Last updated in NVD database

Technical Details for CVE-2026-23429

Vulnerability Analysis

The Linux IOMMU SVA subsystem lets devices share a process's virtual address space using PASIDs (Process Address Space IDs). When a device unbinds from a process, iommu_sva_unbind_device() tears down the binding and releases the associated IOMMU domain.

The defect is an ordering bug. iommu_domain_free() invokes mmdrop(), which calls __mmdrop() and mm_pasid_drop(), releasing the mm_struct and its embedded iommu_mm state. After iommu_domain_free() returns, the existing code path still references domain->mm->iommu_mm, dereferencing freed memory. The result is a classic use-after-free condition reachable from kernel control flow tied to device unbind.

The upstream fix reorders the function so any read of domain->mm->iommu_mm occurs before the call to iommu_domain_free(), eliminating the dangling reference.

Root Cause

The root cause is incorrect lifetime management of the mm_struct referenced by an IOMMU SVA domain. The kernel frees the mm through mmdrop() inside iommu_domain_free() while the caller continues to assume the pointer remains valid. This violates the implicit contract that domain->mm outlives operations on domain.

Attack Vector

The attack vector is local. An attacker requires the ability to interact with a process or device that uses IOMMU SVA bindings, typically through a userspace driver interface such as VFIO, uacce, or an accelerator framework that issues bind and unbind operations. Repeated unbind operations under controlled timing can deterministically hit the freed iommu_mm access, crashing the kernel. The CVSS vector indicates no impact to confidentiality or integrity, but high impact to availability.

No public proof-of-concept exploit is currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2026-23429

Indicators of Compromise

  • Kernel oops or panic stack traces containing iommu_sva_unbind_device, iommu_domain_free, mmdrop, or mm_pasid_drop frames.
  • KASAN reports flagging use-after-free reads on an mm_struct or iommu_mm object during SVA teardown.
  • Unexpected host reboots on systems exposing IOMMU SVA-enabled accelerators to unprivileged workloads.

Detection Strategies

  • Enable CONFIG_KASAN on test kernels to surface the use-after-free at the moment of access rather than at a later crash site.
  • Audit running kernel versions against the affected range (6.19 and 7.0-rc1 through 7.0-rc7) using uname -r inventories collected centrally.
  • Correlate kernel.log, dmesg, and crash dump telemetry for repeated faults tied to SVA unbind paths on the same host.

Monitoring Recommendations

  • Ship dmesg and /var/log/kern.log to a centralized log platform and alert on oops signatures referencing iommu_sva symbols.
  • Track unplanned reboots and kernel panic frequency per host group to identify clustered exploitation attempts.
  • Inventory hosts exposing VFIO, uacce, or vendor SVA interfaces to non-root workloads and prioritize them for patching.

How to Mitigate CVE-2026-23429

Immediate Actions Required

  • Upgrade to a kernel that includes commits 06e14c36, 58abeb7b, or f5daaa2c from the upstream stable tree.
  • On systems that cannot be patched immediately, restrict access to IOMMU SVA-capable device interfaces to trusted administrators only.
  • Rebuild and redeploy custom kernels (6.19, 7.0-rc) that vendor IOMMU SVA support with the upstream fix backported.

Patch Information

The vulnerability is fixed upstream by reordering iommu_sva_unbind_device() so that domain->mm->iommu_mm is captured before iommu_domain_free() is called. Apply one of the following commits depending on the target branch: Kernel Git Commit 06e14c36, Kernel Git Commit 58abeb7b, and Kernel Git Commit f5daaa2c.

Workarounds

  • Disable IOMMU SVA at boot by removing or not enabling the relevant SVA/PASID kernel options where workloads do not require shared virtual addressing.
  • Revoke unprivileged access to character devices that expose SVA bind/unbind operations, such as nodes under /dev/uacce/ or VFIO group nodes.
  • Avoid deploying 7.0 release candidate kernels in production until a stable release containing the fix is available.
bash
# Verify running kernel version and check for affected range
uname -r

# Restrict access to uacce and VFIO device nodes (example)
chmod 0600 /dev/vfio/vfio
find /dev/uacce -maxdepth 1 -type c -exec chmod 0600 {} \;

# After patching, confirm the fix commit is present in the source tree
git -C /usr/src/linux log --oneline | grep -E '06e14c36|58abeb7b|f5daaa2c'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeUse After Free

  • Vendor/TechLinux Kernel

  • SeverityMEDIUM

  • CVSS Score5.5

  • EPSS Probability0.01%

  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • NVD-CWE-noinfo
  • Vendor Resources
  • Kernel Git Commit 06e14c36

  • Kernel Git Commit 58abeb7b

  • Kernel Git Commit f5daaa2c
  • Related CVEs
  • CVE-2026-43328: Linux Kernel Use-After-Free Vulnerability

  • CVE-2026-43500: Linux Kernel Use-After-Free Vulnerability

  • CVE-2026-43333: Linux Kernel Use-After-Free Vulnerability

  • CVE-2026-43335: Linux Kernel Use-After-Free Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English