Cyber Resilience

CVE-2026-23429

High

Published: 03 April 2026

Published
03 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23429 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-23429 is a use-after-free vulnerability in the Linux kernel's IOMMU Shared Virtual Addressing (SVA) subsystem, specifically within the iommu_sva_unbind_device() function. The issue arises because domain->mm->iommu_mm can be freed during iommu_domain_free(), which calls mmdrop(), __mmdrop(), and mm_pasid_drop(). Subsequent access to domain->mm->iommu_mm after this free operation results in dereferencing freed memory, leading to a kernel crash.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction required (AV:L/AC:L/UI:N/S:U). Successful exploitation yields high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8, potentially enabling denial of service via system crash or further compromise through the use-after-free condition.

Mitigation patches are available in Linux kernel stable trees via the following commits: https://git.kernel.org/stable/c/06e14c36e20b48171df13d51b89fe67c594ed07a, https://git.kernel.org/stable/c/58abeb7b9562f25bdfa2f5ae5ce803eb02e74433, and https://git.kernel.org/stable/c/f5daaa2c959d9f894fb5b1ab76da8612dd220a0d. These patches resolve the issue by moving the access to domain->mm->iommu_mm before the iommu_domain_free() call.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: iommu/sva: Fix crash in iommu_sva_unbind_device() domain->mm->iommu_mm can be freed by iommu_domain_free(): iommu_domain_free() mmdrop() __mmdrop() mm_pasid_drop() After iommu_domain_free() returns, accessing domain->mm->iommu_mm may dereference a freed mm structure, leading to a crash.…

more

Fix this by moving the code that accesses domain->mm->iommu_mm to before the call to iommu_domain_free().

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

UAF in kernel IOMMU enables local priv esc (T1068) or system crash DoS via exploitation (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31558Same product: Linux Linux Kernel
CVE-2025-21680Same product: Linux Linux Kernel
CVE-2026-31419Same product: Linux Linux Kernel
CVE-2026-23350Same product: Linux Linux Kernel
CVE-2025-21647Same product: Linux Linux Kernel
CVE-2025-21791Same product: Linux Linux Kernel
CVE-2026-31502Same product: Linux Linux Kernel
CVE-2025-21883Same product: Linux Linux Kernel
CVE-2026-31548Same product: Linux Linux Kernel
CVE-2026-31485Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19, 7.0 · 6.18.7 — 6.18.20 · 6.19.1 — 6.19.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the use-after-free vulnerability by requiring timely identification, testing, and installation of kernel patches that reorder the problematic memory access.

prevent

Implements memory safeguards such as address space layout randomization and non-executable memory regions to hinder exploitation of kernel use-after-free conditions.

detect

Enables vulnerability scanning and monitoring to identify the presence of this specific kernel IOMMU SVA CVE in deployed systems for prompt remediation.

References