Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53280

CVE-2026-53280: Linux Kernel Privilege Escalation Flaw

CVE-2026-53280 is a privilege escalation vulnerability in the Linux kernel IOMMU subsystem that causes NULL pointer dereference crashes. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-53280 Overview

CVE-2026-53280 is a NULL pointer dereference vulnerability in the Linux kernel's Input/Output Memory Management Unit (IOMMU) subsystem. The flaw resides in the pci_dev_reset_iommu_done() function, where group->domain can be NULL if a default domain fails to allocate during the first probe. When this condition occurs, the kernel dereferences domain->ops->attach_dev inside __iommu_attach_device(), triggering a crash.

The issue was identified through local code review and has been resolved upstream by skipping the re-attach operation in pci_dev_reset_iommu_done().

Critical Impact

A NULL pointer dereference in the IOMMU reset path can crash the kernel, causing a local denial-of-service condition on affected Linux systems.

Affected Products

  • Linux kernel versions containing the vulnerable pci_dev_reset_iommu_done() implementation
  • Systems with PCI devices that trigger IOMMU reset paths
  • Distributions shipping the unpatched mainline kernel prior to the referenced stable commits

Discovery Timeline

  • 2026-06-26 - CVE-2026-53280 published to the National Vulnerability Database
  • 2026-06-30 - Last updated in NVD database

Technical Details for CVE-2026-53280

Vulnerability Analysis

The vulnerability affects the IOMMU subsystem's handling of PCI device reset flows. When a PCI device undergoes a Function Level Reset (FLR) or similar reset event, the kernel invokes pci_dev_reset_iommu_prepare() before the reset and pci_dev_reset_iommu_done() afterward.

The post-reset handler attempts to re-attach the device to its IOMMU group's domain by calling __iommu_attach_device(). This function dereferences domain->ops->attach_dev without validating that group->domain is a valid pointer.

If the initial default domain allocation failed during the device's first probe, group->domain remains NULL. The subsequent re-attach attempt then dereferences a NULL pointer, causing a kernel oops.

Root Cause

The root cause is missing validation of group->domain in pci_dev_reset_iommu_done(). The preparation counterpart, pci_dev_reset_iommu_prepare(), correctly tolerates a NULLold_domain pointer. The completion path did not apply the same defensive check, leading to the NULL pointer dereference [CWE-476].

Attack Vector

Triggering this vulnerability requires a specific sequence of events on the local system. An IOMMU group must have failed default domain allocation during initial device probing. A subsequent PCI device reset then invokes the vulnerable code path.

The issue is primarily a reliability defect. Exploitation for privilege escalation is not indicated in the upstream commit. The practical impact is a kernel crash resulting in local denial of service.

No public proof-of-concept exploit is available for this issue. Refer to the Kernel Git Commit Details and the companion patch commit for the fix implementation.

Detection Methods for CVE-2026-53280

Indicators of Compromise

  • Kernel oops or panic messages referencing __iommu_attach_device or pci_dev_reset_iommu_done in dmesg output
  • Stack traces containing attach_dev NULL pointer dereferences during PCI reset events
  • System crashes correlated with PCI Function Level Reset or hot-plug operations

Detection Strategies

  • Audit kernel version strings across the fleet and compare against the fixed stable release containing commits 17194cd0dd23 and d769711fcddd
  • Review dmesg and journal logs for IOMMU domain allocation failures during boot
  • Monitor crash telemetry for repeated kernel panics tied to PCI device reset workflows

Monitoring Recommendations

  • Collect and centralize kernel crash dumps and kdump output for pattern analysis
  • Track PCI reset events and correlate with IOMMU subsystem warnings
  • Alert on kernel oops events referencing IOMMU code paths across Linux endpoints and servers

How to Mitigate CVE-2026-53280

Immediate Actions Required

  • Identify Linux systems running kernel versions predating the upstream fix commits
  • Prioritize patching hosts that perform frequent PCI device resets, such as virtualization hosts using SR-IOV or PCI passthrough
  • Apply vendor-supplied kernel updates that include the pci_dev_reset_iommu_done() fix

Patch Information

The upstream fix skips the re-attach operation in pci_dev_reset_iommu_done() when the group domain is not valid. The patch is available in the mainline Linux kernel tree at commit 17194cd0dd23 and the stable backport at commit d769711fcddd. Apply distribution-provided kernel updates once available.

Workarounds

  • Avoid triggering PCI device resets on systems where IOMMU default domain allocation has failed at boot
  • Investigate and remediate underlying IOMMU domain allocation failures reported in kernel logs
  • Where feasible, disable device hot-plug operations on affected hosts until the kernel patch is applied
bash
# Verify running kernel version and check for the fix
uname -r
dmesg | grep -iE 'iommu|attach_dev'

# After patch installation, reboot into the fixed kernel
sudo reboot

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.