CVE-2026-53280 Overview
CVE-2026-53280 is a NULL pointer dereference vulnerability in the Linux kernel's Input/Output Memory Management Unit (IOMMU) subsystem. The flaw resides in the pci_dev_reset_iommu_done() function, where group->domain can be NULL if a default domain fails to allocate during the first probe. When this condition occurs, the kernel dereferences domain->ops->attach_dev inside __iommu_attach_device(), triggering a crash.
The issue was identified through local code review and has been resolved upstream by skipping the re-attach operation in pci_dev_reset_iommu_done().
Critical Impact
A NULL pointer dereference in the IOMMU reset path can crash the kernel, causing a local denial-of-service condition on affected Linux systems.
Affected Products
- Linux kernel versions containing the vulnerable pci_dev_reset_iommu_done() implementation
- Systems with PCI devices that trigger IOMMU reset paths
- Distributions shipping the unpatched mainline kernel prior to the referenced stable commits
Discovery Timeline
- 2026-06-26 - CVE-2026-53280 published to the National Vulnerability Database
- 2026-06-30 - Last updated in NVD database
Technical Details for CVE-2026-53280
Vulnerability Analysis
The vulnerability affects the IOMMU subsystem's handling of PCI device reset flows. When a PCI device undergoes a Function Level Reset (FLR) or similar reset event, the kernel invokes pci_dev_reset_iommu_prepare() before the reset and pci_dev_reset_iommu_done() afterward.
The post-reset handler attempts to re-attach the device to its IOMMU group's domain by calling __iommu_attach_device(). This function dereferences domain->ops->attach_dev without validating that group->domain is a valid pointer.
If the initial default domain allocation failed during the device's first probe, group->domain remains NULL. The subsequent re-attach attempt then dereferences a NULL pointer, causing a kernel oops.
Root Cause
The root cause is missing validation of group->domain in pci_dev_reset_iommu_done(). The preparation counterpart, pci_dev_reset_iommu_prepare(), correctly tolerates a NULLold_domain pointer. The completion path did not apply the same defensive check, leading to the NULL pointer dereference [CWE-476].
Attack Vector
Triggering this vulnerability requires a specific sequence of events on the local system. An IOMMU group must have failed default domain allocation during initial device probing. A subsequent PCI device reset then invokes the vulnerable code path.
The issue is primarily a reliability defect. Exploitation for privilege escalation is not indicated in the upstream commit. The practical impact is a kernel crash resulting in local denial of service.
No public proof-of-concept exploit is available for this issue. Refer to the Kernel Git Commit Details and the companion patch commit for the fix implementation.
Detection Methods for CVE-2026-53280
Indicators of Compromise
- Kernel oops or panic messages referencing __iommu_attach_device or pci_dev_reset_iommu_done in dmesg output
- Stack traces containing attach_dev NULL pointer dereferences during PCI reset events
- System crashes correlated with PCI Function Level Reset or hot-plug operations
Detection Strategies
- Audit kernel version strings across the fleet and compare against the fixed stable release containing commits 17194cd0dd23 and d769711fcddd
- Review dmesg and journal logs for IOMMU domain allocation failures during boot
- Monitor crash telemetry for repeated kernel panics tied to PCI device reset workflows
Monitoring Recommendations
- Collect and centralize kernel crash dumps and kdump output for pattern analysis
- Track PCI reset events and correlate with IOMMU subsystem warnings
- Alert on kernel oops events referencing IOMMU code paths across Linux endpoints and servers
How to Mitigate CVE-2026-53280
Immediate Actions Required
- Identify Linux systems running kernel versions predating the upstream fix commits
- Prioritize patching hosts that perform frequent PCI device resets, such as virtualization hosts using SR-IOV or PCI passthrough
- Apply vendor-supplied kernel updates that include the pci_dev_reset_iommu_done() fix
Patch Information
The upstream fix skips the re-attach operation in pci_dev_reset_iommu_done() when the group domain is not valid. The patch is available in the mainline Linux kernel tree at commit 17194cd0dd23 and the stable backport at commit d769711fcddd. Apply distribution-provided kernel updates once available.
Workarounds
- Avoid triggering PCI device resets on systems where IOMMU default domain allocation has failed at boot
- Investigate and remediate underlying IOMMU domain allocation failures reported in kernel logs
- Where feasible, disable device hot-plug operations on affected hosts until the kernel patch is applied
# Verify running kernel version and check for the fix
uname -r
dmesg | grep -iE 'iommu|attach_dev'
# After patch installation, reboot into the fixed kernel
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

