CVE-2026-52953

Source
https://cve.org/CVERecord?id=CVE-2026-52953
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52953.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52953
Downstream
Published
2026-06-24T16:28:36.110Z
Modified
2026-07-08T08:09:43.939288382Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
iommu/vt-d: Fix oops due to out of scope access
Details

In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Fix oops due to out of scope access

Below oops triggers when kill QEMU process:

Oops: general protection fault, probably for non-canonical address 0x7fffffff844eaaa7: 0000 [#1] SMP NOPTI Call Trace: <TASK> dorawspinlock+0xaa/0xc0 rawspinlockirqsave+0x21/0x40 domainremovedevpasid+0x52/0x160 intelnestedsetdevpasid+0x1b9/0x1e0 __iommusetgrouppasid+0x56/0x120 pcidevresetiommudone+0xe3/0x180 pcieflr+0x65/0x160 __pciresetfunctionlocked+0x5b/0x120 vfiopcicoreclosedevice+0x63/0xe0 [vfiopcicore] vfiodfclose+0x4f/0xa0 vfiodfunbindiommufd+0x2d/0x60 vfiodevicefops_release+0x3e/0x40 __fput+0xe5/0x2c0 taskworkrun+0x58/0xa0 doexit+0x2c8/0x600 dogroupexit+0x2f/0xa0 getsignal+0x863/0x8c0 archdosignalorrestart+0x24/0x100 exittousermodeloop+0x87/0x380 dosyscall64+0x2ff/0x11e0 entrySYSCALL64afterhwframe+0x76/0x7e

The global static blocked domain is a dummy domain without corresponding dmardomain structure, accessing beyond iommudomain structure triggers oops easily. Fix it by return early in domainremovedev_pasid() like identity domain.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52953.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7d0c9da6c1509664d96488042bacc02308ca33b2
Fixed
88397fad7914ee74a7880fa5ce01f9eb6bfe0743
Fixed
1e659db468476733d217c1314c1e0d9244356d6c
Fixed
a6dea58d8625c06b9654c0555f101742481335c3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52953.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.6.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52953.json"