CVE-2026-23067

EPSS 0.02%
Veröffentlicht 04.02.2026 16:07:48
Zuletzt bearbeitet 13.03.2026 21:27:45
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

iommu/io-pgtable-arm: fix size_t signedness bug in unmap path

__arm_lpae_unmap() returns size_t but was returning -ENOENT (negative
error code) when encountering an unmapped PTE. Since size_t is unsigned,
-ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE
on 64-bit systems).

This corrupted value propagates through the call chain:
  __arm_lpae_unmap() returns -ENOENT as size_t
  -> arm_lpae_unmap_pages() returns it
  -> __iommu_unmap() adds it to iova address
  -> iommu_pgsize() triggers BUG_ON due to corrupted iova

This can cause IOVA address overflow in __iommu_unmap() loop and
trigger BUG_ON in iommu_pgsize() from invalid address alignment.

Fix by returning 0 instead of -ENOENT. The WARN_ON already signals
the error condition, and returning 0 (meaning "nothing unmapped")
is the correct semantic for size_t return type. This matches the
behavior of other io-pgtable implementations (io-pgtable-arm-v7s,
io-pgtable-dart) which return 0 on error conditions.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 6.16 < 6.18.8

Linux ≫ Linux Kernel Version6.19 Updaterc1

Linux ≫ Linux Kernel Version6.19 Updaterc2

Linux ≫ Linux Kernel Version6.19 Updaterc3

Linux ≫ Linux Kernel Version6.19 Updaterc4

Linux ≫ Linux Kernel Version6.19 Updaterc5

Linux ≫ Linux Kernel Version6.19 Updaterc6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.037

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-617 Reachable Assertion

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

https://git.kernel.org/stable/c/41ec6988547819756fb65e94fc24f3e0dddf84ac

Patch

https://git.kernel.org/stable/c/374e7af67d9d9d6103c2cfc8eb32abfecf3a2fd8

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-23067

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-23067

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-23067

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-23067