In the Linux kernel, the following vulnerability has been resolved:
iommu: Fix WARN_ON in __iommugroupsetdomainnofail() due to reset
In __iommugroupset_domaininternal(), concurrent domain attachments are rejected when any device in the group is recovering. This is necessary to fence concurrent attachments to a multi-device group where devices might share the same RID due to PCI DMA alias quirks, but triggers the WARNON in __iommugroupsetdomainnofail().
Other IOMMUSETDOMAINMUSTSUCCEED callers in detach/teardown paths, such as __iommugroupsetcoredomain and _iommureleasedmaownership, should not be rejected, as the domain would be freed anyway in these nofail paths while group->domain is still pointing to it. So pcidevresetiommudone() could trigger a UAF when re-attaching group->domain.
Honor the IOMMUSETDOMAINMUSTSUCCEED flag, allowing the callers through the group->recovery_cnt fence, so as to update the group->domain pointer. Instead add a gdev->blocked check in the device iteration loop, to prevent any concurrent per-device detachment.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52952.json",
"cna_assigner": "Linux"
}