Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53283

CVE-2026-53283: Linux Kernel Buffer Overflow Vulnerability

CVE-2026-53283 is a buffer overflow flaw in the Linux kernel's AMD IOMMU driver that causes out-of-bounds memory reads during device registration. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-53283 Overview

CVE-2026-53283 is an out-of-bounds read vulnerability in the Linux kernel's AMD IOMMU driver. The flaw resides in __rlookup_amd_iommu(), which indexes the rlookup_table[devid] array without validating that devid falls within the allocation's bounds. When the kernel probes a PCI device whose Bus/Device/Function (BDF) is not described by the IVRS (I/O Virtualization Reporting Structure), the lookup reads past the end of a kvcalloc() allocation.

Critical Impact

The out-of-bounds read returns adjacent slab contents that check_device() then dereferences as a struct amd_iommu *, producing a boot-time general protection fault (GPF) and preventing the affected system from booting.

Affected Products

  • Linux kernel builds containing commit e874c666b15b ("iommu/amd: Change rlookup, irq_lookup, and alias to use kvalloc()")
  • Linux kernel 6.18.22 (confirmed reproducer)
  • AMD IOMMU-enabled virtualized environments where IVRS does not describe all PCI endpoints, including Google Compute Engine ct6e VMs

Discovery Timeline

  • 2026-06-26 - CVE-2026-53283 published to NVD
  • 2026-06-30 - Last updated in NVD database

Technical Details for CVE-2026-53283

Vulnerability Analysis

During IOMMU initialization, iommu_device_register() iterates every device on the PCI bus via bus_for_each_dev() and calls amd_iommu_probe_device() for each. The inlined check_device() path computes the device's segment/BDF, invokes rlookup_amd_iommu() to locate the owning IOMMU, and only afterwards verifies that devid <= pci_seg->last_bdf. Because __rlookup_amd_iommu() performs no internal bounds check, a PCI device whose BDF is not covered by the IVRS causes the lookup to read past the end of the allocation before the caller's bounds check runs.

Root Cause

The issue was latent before commit e874c666b15b. Previously, rlookup_table was a zeroed page-order allocation, so any over-read returned NULL and the caller's NULL check silently skipped the device. After the switch to a tight kvcalloc() allocation, the over-read returns adjacent slab data that is then dereferenced as an IOMMU structure pointer, triggering a fault. This is a classic Out-of-Bounds Read leading to a type-confused pointer dereference.

Attack Vector

The reported reproducer is a Google Compute Engine ct6e VM whose virtualized IVRS describes only TPU endpoints at 00:04.000:07.0. The gVNIC at 00:08.0 (devid 0x40) indexes 56 bytes past the 456-byte allocation, into an adjacent kmalloc-512 slab object. The result is a general protection fault at amd_iommu_probe_device+0x54/0x3a0, aborting boot with PID 1 (swapper/0). The condition is triggered by platform topology rather than by a network- or user-supplied payload, so exploitation is limited to local denial-of-service scenarios where an attacker can influence PCI enumeration or IVRS contents.

No verified public exploit code is available. The vulnerability mechanism is described in prose based on the upstream commit message; refer to the kernel commit for the patched implementation of __rlookup_amd_iommu().

Detection Methods for CVE-2026-53283

Indicators of Compromise

  • Boot-time kernel oops with message general protection fault, probably for non-canonical address originating from amd_iommu_probe_device+0x54/0x3a0.
  • Call trace containing __iommu_probe_device, probe_iommu_group, bus_for_each_dev, iommu_device_register, iommu_go_to_state, and amd_iommu_init.
  • Systems that fail to complete boot when AMD IOMMU is enabled and a PCI device outside the IVRS-declared BDF range is present.

Detection Strategies

  • Audit installed kernel versions against the fixed commits 07d0f496fe7e, 79db4cbab81f, and f0a0f01787ec published on kernel.org.
  • Correlate boot failures on AMD IOMMU-enabled virtualized hosts with recent kernel upgrades that include commit e874c666b15b.
  • Compare PCI enumeration output (lspci -nn) against the firmware IVRS table to identify endpoints outside the declared BDF range.

Monitoring Recommendations

  • Collect kernel ring buffer (dmesg) output from hosts after upgrades to detect IOMMU probe failures early.
  • Monitor virtualization fleets for boot loops on AMD-based instance families, particularly those exposing accelerators such as TPUs alongside virtual NICs.
  • Track distribution stable-tree backports to confirm patch coverage across managed hosts.

How to Mitigate CVE-2026-53283

Immediate Actions Required

  • Apply the upstream fix that adds a bounds check to __rlookup_amd_iommu() before the rlookup_table[devid] access.
  • Update to a Linux kernel stable release that includes commits 07d0f496fe7e, 79db4cbab81f, or f0a0f01787ec.
  • On unpatched hosts unable to boot, disable AMD IOMMU as a temporary workaround while a fixed kernel is staged.

Patch Information

The fix guards the array access in __rlookup_amd_iommu() so that a devid outside the IVRS-described range returns NULL instead of dereferencing adjacent slab memory. With the patch applied on 6.18.22, the gVNIC at 00:08.0 is skipped cleanly and the VM boots. Patch references:

Workarounds

  • Boot with iommu=off or amd_iommu=off on the kernel command line to bypass the affected code path until a patched kernel is deployed.
  • Pin affected hosts to a pre-e874c666b15b kernel where the over-read is masked by the page-order allocation.
  • On cloud platforms exhibiting the failure, revert instances to a prior known-good boot image and coordinate with the provider on IVRS or kernel remediation.
bash
# Configuration example: temporarily disable AMD IOMMU via GRUB
# /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet amd_iommu=off iommu=off"

# Apply and reboot
sudo update-grub
sudo reboot

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.