CVE-2026-53283

Source
https://cve.org/CVERecord?id=CVE-2026-53283
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53283.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53283
Downstream
Published
2026-06-26T19:40:44.573Z
Modified
2026-07-09T03:52:23.191808603Z
Summary
iommu/amd: Bounds-check devid in __rlookup_amd_iommu()
Details

In the Linux kernel, the following vulnerability has been resolved:

iommu/amd: Bounds-check devid in __rlookupamdiommu()

iommudeviceregister() walks every device on the PCI bus via busforeachdev() and calls amdiommuprobedevice() for each. The inlined checkdevice() path computes the device's sbdf, calls rlookupamdiommu() to find the owning IOMMU, and only afterwards verifies devid <= pciseg->last_bdf. _rlookupamdiommu() indexes rlookuptable[devid] with no bounds check of its own, so for a PCI device whose BDF is not described by the IVRS, the lookup reads past the end of the allocation before the caller's bounds check can run.

This was harmless before commit e874c666b15b ("iommu/amd: Change rlookup, irqlookup, and alias to use kvalloc()"): the table was a zeroed page-order allocation, so the over-read returned NULL and the caller's NULL check skipped the device. After that commit the table is a tight kvcalloc() and the over-read returns adjacent slab contents, which checkdevice() then dereferences as a struct amd_iommu *, causing a boot-time GPF.

Seen on Google Compute Engine ct6e VMs, where the virtualized IVRS describes only the four TPU endpoints 00:04.0-07.0; the gVNIC at 00:08.0 (devid 0x40) indexes 56 bytes past the 456-byte allocation, into the adjacent kmalloc-512 slab object:

pci 0000:00:04.0: Adding to iommu group 0 pci 0000:00:05.0: Adding to iommu group 1 pci 0000:00:06.0: Adding to iommu group 2 pci 0000:00:07.0: Adding to iommu group 3 Oops: general protection fault, probably for non-canonical address 0x3a64695f78746382: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.22 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/06/2025 RIP: 0010:amdiommuprobe_device+0x54/0x3a0 Call Trace: __iommuprobedevice+0x107/0x520 probeiommugroup+0x29/0x50 busforeachdev+0x7e/0xe0 iommudeviceregister+0xc9/0x240 iommugotostate+0x9c0/0x1c60 amdiommuinit+0x14/0x40 pciiommuinit+0x16/0x60 dooneinitcall+0x47/0x2f0

Guard the array access in __rlookupamdiommu(). With the fix applied on 6.18.22, the gVNIC at 00:08.0 is skipped cleanly and the VM boots.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53283.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e874c666b15bcb6280c4e747d8de3879bb728829
Fixed
f0a0f01787ecece814414b0665df879b69849d09
Fixed
79db4cbab81f07ce69a93d379ebd40d3709ecfb2
Fixed
07d0f496fe7ec5abe3bee7e38be709521567bb33

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53283.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.16.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53283.json"