-
CVE-2026-23067
- EPSS -
- Veröffentlicht 04.02.2026 16:07:48
- Zuletzt bearbeitet 04.02.2026 17:16:17
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
In the Linux kernel, the following vulnerability has been resolved: iommu/io-pgtable-arm: fix size_t signedness bug in unmap path __arm_lpae_unmap() returns size_t but was returning -ENOENT (negative error code) when encountering an unmapped PTE. Since size_t is unsigned, -ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE on 64-bit systems). This corrupted value propagates through the call chain: __arm_lpae_unmap() returns -ENOENT as size_t -> arm_lpae_unmap_pages() returns it -> __iommu_unmap() adds it to iova address -> iommu_pgsize() triggers BUG_ON due to corrupted iova This can cause IOVA address overflow in __iommu_unmap() loop and trigger BUG_ON in iommu_pgsize() from invalid address alignment. Fix by returning 0 instead of -ENOENT. The WARN_ON already signals the error condition, and returning 0 (meaning "nothing unmapped") is the correct semantic for size_t return type. This matches the behavior of other io-pgtable implementations (io-pgtable-arm-v7s, io-pgtable-dart) which return 0 on error conditions.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginDaten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version <
41ec6988547819756fb65e94fc24f3e0dddf84ac
Version
3318f7b5cefbff96b1bb49584ac38d2c9997a830
Status
affected
Version <
374e7af67d9d9d6103c2cfc8eb32abfecf3a2fd8
Version
3318f7b5cefbff96b1bb49584ac38d2c9997a830
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
6.16
Status
affected
Version <
6.16
Version
0
Status
unaffected
Version <=
6.18.*
Version
6.18.8
Status
unaffected
Version <=
*
Version
6.19-rc7
Status
unaffected