In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Fix oops due to out of scope access
Below oops triggers when kill QEMU process:
Oops: general protection fault, probably for non-canonical address 0x7fffffff844eaaa7: 0000 [#1] SMP NOPTI Call Trace: <TASK> dorawspinlock+0xaa/0xc0 rawspinlockirqsave+0x21/0x40 domainremovedevpasid+0x52/0x160 intelnestedsetdevpasid+0x1b9/0x1e0 __iommusetgrouppasid+0x56/0x120 pcidevresetiommudone+0xe3/0x180 pcieflr+0x65/0x160 __pciresetfunctionlocked+0x5b/0x120 vfiopcicoreclosedevice+0x63/0xe0 [vfiopcicore] vfiodfclose+0x4f/0xa0 vfiodfunbindiommufd+0x2d/0x60 vfiodevicefops_release+0x3e/0x40 __fput+0xe5/0x2c0 taskworkrun+0x58/0xa0 doexit+0x2c8/0x600 dogroupexit+0x2f/0xa0 getsignal+0x863/0x8c0 archdosignalorrestart+0x24/0x100 exittousermodeloop+0x87/0x380 dosyscall64+0x2ff/0x11e0 entrySYSCALL64afterhwframe+0x76/0x7e
The global static blocked domain is a dummy domain without corresponding dmardomain structure, accessing beyond iommudomain structure triggers oops easily. Fix it by return early in domainremovedev_pasid() like identity domain.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52953.json",
"cna_assigner": "Linux"
}