Bug 2493709 (CVE-2026-53322)

Summary: CVE-2026-53322 kernel: vfio/pci: Clean up DMABUFs before disabling function
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's vfio/pci subsystem. During device shutdown, an improper order of operations in cleaning up Direct Memory Access Buffers (DMABUFs) before disabling the function creates a brief window. In this window, a device's Base Address Registers (BARs) could still be accessed via DMABUFs even after memory space enable (MSE) is cleared. This could potentially allow a different driver to access freed resources, leading to information disclosure or unauthorized resource access.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-26 21:02:07 UTC
In the Linux kernel, the following vulnerability has been resolved:

vfio/pci: Clean up DMABUFs before disabling function

On device shutdown, make vfio_pci_core_close_device() call
vfio_pci_dma_buf_cleanup() before the function is disabled via
vfio_pci_core_disable().  This ensures that all access via DMABUFs is
revoked before the function's BARs become inaccessible.

This fixes an issue where, if the function is disabled first, a tiny
window exists in which the function's MSE is cleared and yet BARs
could still be accessed via the DMABUF.  The resources would also be
freed and up for grabs by a different driver.

Comment 1 Mauro Matteo Cascella 2026-06-29 10:33:15 UTC
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062622-CVE-2026-53322-843f@gregkh/T