CVE-2026-23429

High

Published: 03 April 2026

Published

03 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 3.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23429 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the use-after-free vulnerability by requiring timely identification, testing, and installation of kernel patches that reorder the problematic memory access.

SI-16 Memory Protection partial match

prevent

Implements memory safeguards such as address space layout randomization and non-executable memory regions to hinder exploitation of kernel use-after-free conditions.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables vulnerability scanning and monitoring to identify the presence of this specific kernel IOMMU SVA CVE in deployed systems for prompt remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

UAF in kernel IOMMU enables local priv esc (T1068) or system crash DoS via exploitation (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

In the Linux kernel, the following vulnerability has been resolved: iommu/sva: Fix crash in iommu_sva_unbind_device() domain->mm->iommu_mm can be freed by iommu_domain_free(): iommu_domain_free() mmdrop() __mmdrop() mm_pasid_drop() After iommu_domain_free() returns, accessing domain->mm->iommu_mm may dereference a freed mm structure, leading to a crash.…

Fix this by moving the code that accesses domain->mm->iommu_mm to before the call to iommu_domain_free().

Deeper analysisAI

CVE-2026-23429 is a use-after-free vulnerability in the Linux kernel's IOMMU Shared Virtual Addressing (SVA) subsystem, specifically within the iommu_sva_unbind_device() function. The issue arises because domain->mm->iommu_mm can be freed during iommu_domain_free(), which calls mmdrop(), __mmdrop(), and mm_pasid_drop(). Subsequent access to domain->mm->iommu_mm after this free operation results in dereferencing freed memory, leading to a kernel crash.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction required (AV:L/AC:L/UI:N/S:U). Successful exploitation yields high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8, potentially enabling denial of service via system crash or further compromise through the use-after-free condition.

Mitigation patches are available in Linux kernel stable trees via the following commits: https://git.kernel.org/stable/c/06e14c36e20b48171df13d51b89fe67c594ed07a, https://git.kernel.org/stable/c/58abeb7b9562f25bdfa2f5ae5ce803eb02e74433, and https://git.kernel.org/stable/c/f5daaa2c959d9f894fb5b1ab76da8612dd220a0d. These patches resolve the issue by moving the access to domain->mm->iommu_mm before the iommu_domain_free() call.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

linux

linux kernel

6.19, 7.0 · 6.18.7 — 6.18.20 · 6.19.1 — 6.19.10

CVEs Like This One

CVE-2024-57795Same product: Linux Linux Kernel

CVE-2025-21791Same product: Linux Linux Kernel

CVE-2026-23445Same product: Linux Linux Kernel

CVE-2026-31665Same product: Linux Linux Kernel

CVE-2023-53023Same product: Linux Linux Kernel

CVE-2026-23198Same product: Linux Linux Kernel

CVE-2026-31602Same product: Linux Linux Kernel

CVE-2026-31667Same product: Linux Linux Kernel

CVE-2026-31580Same product: Linux Linux Kernel

CVE-2024-58072Same product: Linux Linux Kernel

References

https://git.kernel.org/stable/c/06e14c36e20b48171df13d51b89fe67c594ed07a
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/58abeb7b9562f25bdfa2f5ae5ce803eb02e74433
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f5daaa2c959d9f894fb5b1ab76da8612dd220a0d
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67