CVE-2026-52952
In the Linux kernel, the following vulnerability has been resolved: iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset I
CVSS
8.8
Alto
EPSS
0.1%
p4
KEV
—
Exploit Today
1
0-100
Publicado: 24 jun 2026 · Última mod.: 15 jul 2026 · CWE-617 · CWE-825
In the Linux kernel, the following vulnerability has been resolved: iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset In __iommu_group_set_domain_internal(), concurrent domain attachments are rejected when any device in the group is recovering. This is necessary to fence concurrent attachments to a multi-device group where devices might share the same RID due to PCI DMA alias quirks, but triggers the WARN_ON in __iommu_group_set_domain_nofail(). Other IOMMU_SET_DOMAIN_MUST_SUCCEED callers in detach/teardown paths, such as __iommu_group_set_core_domain and __iommu_release_dma_ownership, should not be rejected, as the domain would be freed anyway in these nofail paths while group->domain is still pointing to it. So pci_dev_reset_iommu_done() could trigger a UAF when re-attaching group->domain. Honor the IOMMU_SET_DOMAIN_MUST_SUCCEED flag, allowing the callers through the group->recovery_cnt fence, so as to update the group->domain pointer. Instead add a gdev->blocked check in the device iteration loop, to prevent any concurrent per-device detachment.
- git.kernel.orghttps://git.kernel.org/stable/c/5474e6e17a262db45c60575c73f70210f5c7001f
- git.kernel.orghttps://git.kernel.org/stable/c/8fc289e809f3eb7e36cadc4684ab6fad747a5a93
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-52952
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2492422
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52952.json