Vulnerability-Lookup

GHSA-GFC2-582G-3757

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-27 15:33

Details

In the Linux kernel, the following vulnerability has been resolved:

accel/amdxdna: Hold mm structure across iommu_sva_unbind_device()

Some tests trigger a crash in iommu_sva_unbind_device() due to accessing iommu_mm after the associated mm structure has been freed.

Fix this by taking an explicit reference to the mm structure after successfully binding the device, and releasing it only after the device is unbound. This ensures the mm remains valid for the entire SVA bind/unbind lifetime.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-45931"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:09Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Hold mm structure across iommu_sva_unbind_device()\n\nSome tests trigger a crash in iommu_sva_unbind_device() due to\naccessing iommu_mm after the associated mm structure has been\nfreed.\n\nFix this by taking an explicit reference to the mm structure\nafter successfully binding the device, and releasing it only\nafter the device is unbound. This ensures the mm remains valid\nfor the entire SVA bind/unbind lifetime.",
  "id": "GHSA-gfc2-582g-3757",
  "modified": "2026-05-27T15:33:16Z",
  "published": "2026-05-27T15:33:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45931"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a9162439ad792afcddc04718408ec1380b7a5f63"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f31ccf6278132a35a652fe5eeac3941e1e912398"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f6b4c1d98a7b8040d4d02e89425b3942016a2c2c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2026-45931 (GCVE-0-2026-45931)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:17 – Updated: 2026-05-27 12:17

Title

accel/amdxdna: Hold mm structure across iommu_sva_unbind_device()

Summary

In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Hold mm structure across iommu_sva_unbind_device() Some tests trigger a crash in iommu_sva_unbind_device() due to accessing iommu_mm after the associated mm structure has been freed. Fix this by taking an explicit reference to the mm structure after successfully binding the device, and releasing it only after the device is unbound. This ensures the mm remains valid for the entire SVA bind/unbind lifetime.

Severity

No CVSS data available.

Assigner

Linux

References

3 references

URL	Tags
https://git.kernel.org/stable/c/f6b4c1d98a7b8040d…
https://git.kernel.org/stable/c/f31ccf6278132a35a…
https://git.kernel.org/stable/c/a9162439ad792afcd…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: be462c97b7dfd24999babe39cce3de224ebe1f80 , < f6b4c1d98a7b8040d4d02e89425b3942016a2c2c (git) Affected: be462c97b7dfd24999babe39cce3de224ebe1f80 , < f31ccf6278132a35a652fe5eeac3941e1e912398 (git) Affected: be462c97b7dfd24999babe39cce3de224ebe1f80 , < a9162439ad792afcddc04718408ec1380b7a5f63 (git)
Linux	Linux	Affected: 6.14 Unaffected: 0 , < 6.14 (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/accel/amdxdna/amdxdna_pci_drv.c",
            "drivers/accel/amdxdna/amdxdna_pci_drv.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f6b4c1d98a7b8040d4d02e89425b3942016a2c2c",
              "status": "affected",
              "version": "be462c97b7dfd24999babe39cce3de224ebe1f80",
              "versionType": "git"
            },
            {
              "lessThan": "f31ccf6278132a35a652fe5eeac3941e1e912398",
              "status": "affected",
              "version": "be462c97b7dfd24999babe39cce3de224ebe1f80",
              "versionType": "git"
            },
            {
              "lessThan": "a9162439ad792afcddc04718408ec1380b7a5f63",
              "status": "affected",
              "version": "be462c97b7dfd24999babe39cce3de224ebe1f80",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/accel/amdxdna/amdxdna_pci_drv.c",
            "drivers/accel/amdxdna/amdxdna_pci_drv.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.14",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.4",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Hold mm structure across iommu_sva_unbind_device()\n\nSome tests trigger a crash in iommu_sva_unbind_device() due to\naccessing iommu_mm after the associated mm structure has been\nfreed.\n\nFix this by taking an explicit reference to the mm structure\nafter successfully binding the device, and releasing it only\nafter the device is unbound. This ensures the mm remains valid\nfor the entire SVA bind/unbind lifetime."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T12:17:49.527Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f6b4c1d98a7b8040d4d02e89425b3942016a2c2c"
        },
        {
          "url": "https://git.kernel.org/stable/c/f31ccf6278132a35a652fe5eeac3941e1e912398"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9162439ad792afcddc04718408ec1380b7a5f63"
        }
      ],
      "title": "accel/amdxdna: Hold mm structure across iommu_sva_unbind_device()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45931",
    "datePublished": "2026-05-27T12:17:49.527Z",
    "dateReserved": "2026-05-13T15:03:33.086Z",
    "dateUpdated": "2026-05-27T12:17:49.527Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-GFC2-582G-3757

CVE-2026-45931 (GCVE-0-2026-45931)

Tags

Sightings

Nomenclature