accel/amdxdna: Hold mm structure across iommu_sva_unbind_device()_CVE-2026-45931

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

accel/amdxdna: Hold mm structure across iommu_sva_unbind_device()

Some tests trigger a crash in iommu_sva_unbind_device() due to
accessing iommu_mm after the associated mm structure has been
freed.

Fix this by taking an explicit reference to the mm structure
after successfully binding the device, and releasing it only
after the device is unbound. This ensures the mm remains valid
for the entire SVA bind/unbind lifetime.

Basic Information

ID CVE-2026-45931

Source Linux

Published May 27, 2026 at 12:17

Modified May 30, 2026 at 10:45

Affected Product

Vendor Linux

Product Linux

Version be462c97b7dfd24999babe39cce3de224ebe1f80

Affected Versions Linux Linux be462c97b7dfd24999babe39cce3de224ebe1f80
Linux Linux be462c97b7dfd24999babe39cce3de224ebe1f80
Linux Linux be462c97b7dfd24999babe39cce3de224ebe1f80
Linux Linux 6.14

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Hold mm structure across iommu_sva_unbind_device()\n\nSome tests trigger a crash in iommu_sva_unbind_device() due to\naccessing iommu_mm after the associated mm structure has been\nfreed.\n\nFix this by taking an explicit reference to the mm structure\nafter successfully binding the device, and releasing it only\nafter the device is unbound. This ensures the mm remains valid\nfor the entire SVA bind/unbind lifetime.",
    "published": "2026-05-27T12:17:49.527Z",
    "modified": "2026-05-30T10:45:57.696Z",
    "type": "cve",
    "title": "accel/amdxdna: Hold mm structure across iommu_sva_unbind_device()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/f6b4c1d98a7b8040d4d02e89425b3942016a2c2c\nhttps://git.kernel.org/stable/c/f31ccf6278132a35a652fe5eeac3941e1e912398\nhttps://git.kernel.org/stable/c/a9162439ad792afcddc04718408ec1380b7a5f63",
    "id": "CVE-2026-45931",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux be462c97b7dfd24999babe39cce3de224ebe1f80\nLinux Linux be462c97b7dfd24999babe39cce3de224ebe1f80\nLinux Linux be462c97b7dfd24999babe39cce3de224ebe1f80\nLinux Linux 6.14",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "be462c97b7dfd24999babe39cce3de224ebe1f80",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply