iommu/vt-d: Avoid NULL pointer dereference or refcount corruption_CVE-2026-53281

8.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Avoid NULL pointer dereference or refcount corruption

Commit 60f030f7418d ("iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE")
fixed a NULL pointer dereference in an unlikely situation partly.

If dev_pasid is not found in the dev_pasids list, it remains NULL.
However, the teardown operations are executed unconditionally, this lead
to a NULL pointer dereference or refcount corruption.

If the domain was never attached to this IOMMU, info will be NULL, which
would cause an immediate dereference when checking --info->refcnt.

Even if info is not NULL, decrementing the refcount without having removed
a valid PASID might unbalance the count. This could lead to premature
dropping of the refcount to 0, potentially causing a use-after-free for the
remaining active devices sharing the domain.

Fix it by returning early if dev_pasid is NULL, before executing the
teardown operations.

Issue found by AI review and suggested by Kevin Tian.
https://sashiko.dev/#/patchset/20260421031347.1408890-1-zhenzhong.duan%40intel.com

AI Analysis

NULL pointer dereference or refcount corruption vulnerability in Linux kernel's iommu/vt-d component

Basic Information

ID CVE-2026-53281

Source Linux

Published Jun 26, 2026 at 19:40

Modified Jun 28, 2026 at 06:41

Affected Product

Vendor Linux

Product Linux

Version 60f030f7418d3f1d94f2fb207fe3080e1844630b

Affected Versions Linux Linux 60f030f7418d3f1d94f2fb207fe3080e1844630b
Linux Linux 60f030f7418d3f1d94f2fb207fe3080e1844630b
Linux Linux 60f030f7418d3f1d94f2fb207fe3080e1844630b
Linux Linux 68ec78beb4a3fb0877cbaaf49758c85410c05977
Linux Linux df96876be3b064aefc493f760e0639765d13ed0d
Linux Linux 6.12.57
Linux Linux 6.13.3
Linux Linux 6.14

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Linux Foundation

Product Linux Kernel

Version 6.12.57, 6.13.3, 6.14

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Avoid NULL pointer dereference or refcount corruption\n\nCommit 60f030f7418d (\"iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE\")\nfixed a NULL pointer dereference in an unlikely situation partly.\n\nIf dev_pasid is not found in the dev_pasids list, it remains NULL.\nHowever, the teardown operations are executed unconditionally, this lead\nto a NULL pointer dereference or refcount corruption.\n\nIf the domain was never attached to this IOMMU, info will be NULL, which\nwould cause an immediate dereference when checking --info->refcnt.\n\nEven if info is not NULL, decrementing the refcount without having removed\na valid PASID might unbalance the count. This could lead to premature\ndropping of the refcount to 0, potentially causing a use-after-free for the\nremaining active devices sharing the domain.\n\nFix it by returning early if dev_pasid is NULL, before executing the\nteardown operations.\n\nIssue found by AI review and suggested by Kevin Tian.\nhttps://sashiko.dev/#/patchset/20260421031347.1408890-1-zhenzhong.duan%40intel.com",
    "published": "2026-06-26T19:40:43.040Z",
    "modified": "2026-06-28T06:41:22.835Z",
    "type": "cve",
    "title": "iommu/vt-d: Avoid NULL pointer dereference or refcount corruption",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/9022cb9ac0c2a72a57fa8ebf92ac74f953ca0153\nhttps://git.kernel.org/stable/c/cdfe3c9f2c9e28a8651ee463c88ad191ced2f840\nhttps://git.kernel.org/stable/c/79ea2feb917b05366b49d85573c9c5331f043b2c",
    "id": "CVE-2026-53281",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 60f030f7418d3f1d94f2fb207fe3080e1844630b\nLinux Linux 60f030f7418d3f1d94f2fb207fe3080e1844630b\nLinux Linux 60f030f7418d3f1d94f2fb207fe3080e1844630b\nLinux Linux 68ec78beb4a3fb0877cbaaf49758c85410c05977\nLinux Linux df96876be3b064aefc493f760e0639765d13ed0d\nLinux Linux 6.12.57\nLinux Linux 6.13.3\nLinux Linux 6.14",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "60f030f7418d3f1d94f2fb207fe3080e1844630b",
    "vendor": "Linux",
    "ai_description": "NULL pointer dereference or refcount corruption vulnerability in Linux kernel's iommu/vt-d component",
    "ai_severity": "High",
    "ai_vendor": "Linux Foundation",
    "ai_product": "Linux Kernel",
    "ai_version": "6.12.57, 6.13.3, 6.14",
    "ai_score": 8.8
}