Vulnerability Details CVE-2026-53280
In the Linux kernel, the following vulnerability has been resolved:
iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done()
Local sashiko review pointed it out that group->domain could be NULL when
a default domain fails to allocate during the first probe, which can crash
at domain->ops->attach_dev dereference in __iommu_attach_device() invoked
by pci_dev_reset_iommu_done().
pci_dev_reset_iommu_prepare() is fine as an old_domain pointer can be NULL.
Skip the re-attach in pci_dev_reset_iommu_done() to fix the bug.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 1.4%
CVSS Severity
CVSS v3 Score 5.5
Products affected by CVE-2026-53280
-
cpe:2.3:o:linux:linux_kernel:7.0
-
cpe:2.3:o:linux:linux_kernel:7.0.1
-
cpe:2.3:o:linux:linux_kernel:7.0.2
-
cpe:2.3:o:linux:linux_kernel:7.0.3
-
cpe:2.3:o:linux:linux_kernel:7.0.4
-
cpe:2.3:o:linux:linux_kernel:7.0.5
-
cpe:2.3:o:linux:linux_kernel:7.0.6
-
cpe:2.3:o:linux:linux_kernel:7.0.7
-
cpe:2.3:o:linux:linux_kernel:7.0.8
-
cpe:2.3:o:linux:linux_kernel:7.0.9
-
cpe:2.3:o:linux:linux_kernel:7.1