Bounds Checking Vulnerability in Linux Kernel Affecting AMD IOMMU Devices
CVE-2026-53283
What is CVE-2026-53283?
A vulnerability has been identified in the Linux kernel related to the AMD IOMMU subsystem, specifically in the handling of device identifiers during the device registration process. The issue stems from potential out-of-bounds access during the lookup for an owning IOMMU. If a PCI device's identifier exceeds the allocated bounds of the reference table, it can lead to unintended memory access, causing a general protection fault (GPF) during boot time. This scenario was particularly observed in Google Compute Engine environments, where the attempt to index a non-existent device ID resulted in dereferencing invalid memory, potentially compromising system stability. The vulnerability has been addressed in recent kernel updates by enforcing stricter bounds checks, ensuring that such erroneous lookups are appropriately managed.
Affected Version(s)
Linux e874c666b15bcb6280c4e747d8de3879bb728829
Linux e874c666b15bcb6280c4e747d8de3879bb728829 < 79db4cbab81f07ce69a93d379ebd40d3709ecfb2
Linux e874c666b15bcb6280c4e747d8de3879bb728829 < 07d0f496fe7ec5abe3bee7e38be709521567bb33