CVE-2026-52952
HIGH 8.8In the Linux kernel, the following vulnerability has been resolved: iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset In __iommu_group_set_domain_internal(), concurrent domain attachments are rejected when any device in the group is recovering. This is necessary to fence concurrent attachments to a multi-device group where devices might share the same RID due to PCI DMA alias quirks, but triggers the WARN_ON in __iommu_group_set_domain_nofail(). Other IOMMU_SET_DOMAIN_MUST_SUCCEED callers in detach/teardown paths, such as __iommu_group_set_core_domain and __iommu_release_dma_ownership, should not be rejected, as the domain would be freed anyway in these nofail paths while group->domain is still pointing to it. So pci_dev_reset_iommu_done() could trigger a UAF when re-attaching group->domain. Honor the IOMMU_SET_DOMAIN_MUST_SUCCEED flag, allowing the callers through the group->recovery_cnt fence, so as to update the group->domain pointer. Instead add a gdev->blocked check in the device iteration loop, to prevent any concurrent per-device detachment.
Severe if exploited (CVSS 8.8), but no known exploitation and low modeled probability. Patch on a normal cadence.
Exploitation likelihood
0.1%chance of exploitation in 30 days · 3rd percentile
Impact if exploited
8.8CVSS 3.1 · HIGH
- ConfidentialityHigh
- IntegrityHigh
- AvailabilityHigh
What an attacker needs
- ⚠Access: Requires local access to the host
- ⚠Privileges: Requires a low-privilege account
- ✓User interaction: No user interaction needed
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Affected
Products Linux Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9
Weakness (CWE)
- CWE-825
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References
Technical & other
- https://git.kernel.org/stable/c/8fc289e809f3eb7e36cadc4684ab6fad747a5a93
- https://git.kernel.org/stable/c/5474e6e17a262db45c60575c73f70210f5c7001f
- https://access.redhat.com/security/cve/CVE-2026-52952
- https://bugzilla.redhat.com/show_bug.cgi?id=2492422
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52952.json