CVE-2026-52952

Source
https://cve.org/CVERecord?id=CVE-2026-52952
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52952.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52952
Downstream
Published
2026-06-24T16:28:35.247Z
Modified
2026-07-08T08:13:45.073101664Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset
Details

In the Linux kernel, the following vulnerability has been resolved:

iommu: Fix WARN_ON in __iommugroupsetdomainnofail() due to reset

In __iommugroupset_domaininternal(), concurrent domain attachments are rejected when any device in the group is recovering. This is necessary to fence concurrent attachments to a multi-device group where devices might share the same RID due to PCI DMA alias quirks, but triggers the WARNON in __iommugroupsetdomainnofail().

Other IOMMUSETDOMAINMUSTSUCCEED callers in detach/teardown paths, such as __iommugroupsetcoredomain and _iommureleasedmaownership, should not be rejected, as the domain would be freed anyway in these nofail paths while group->domain is still pointing to it. So pcidevresetiommudone() could trigger a UAF when re-attaching group->domain.

Honor the IOMMUSETDOMAINMUSTSUCCEED flag, allowing the callers through the group->recovery_cnt fence, so as to update the group->domain pointer. Instead add a gdev->blocked check in the device iteration loop, to prevent any concurrent per-device detachment.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52952.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c279e83953d937470f8a6e69b69f62608714f13f
Fixed
8fc289e809f3eb7e36cadc4684ab6fad747a5a93
Fixed
5474e6e17a262db45c60575c73f70210f5c7001f

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52952.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52952.json"