PT-2026-6137 · Git+3 · Kernel+98
Published
2026-01-01
·
Updated
2026-02-04
·
CVE-2026-23067
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel (affected versions not specified)
Description
The issue involves a signedness bug in the
arm lpae unmap() function within the io-pgtable-arm component of the Linux kernel. The function incorrectly returns a negative error code (-ENOENT) as a size t value, which is an unsigned type. This results in a corrupted value propagating through the call chain, potentially leading to an IOVA address overflow in the iommu unmap() loop and triggering a BUG ON condition in the iommu pgsize() function due to invalid address alignment. The fix involves returning 0 instead of -ENOENT, aligning the behavior with other io-pgtable implementations like io-pgtable-arm-v7s and io-pgtable-dart.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Assertion Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kernel
Linux
Linux-Allwinner-5.19
Linux-Aws
Linux-Aws-5.0
Linux-Aws-5.11
Linux-Aws-5.13
Linux-Aws-5.19
Linux-Aws-5.3
Linux-Aws-5.8
Linux-Aws-6.17
Linux-Aws-6.2
Linux-Aws-6.5
Linux-Azure
Linux-Azure-5.11
Linux-Azure-5.13
Linux-Azure-5.19
Linux-Azure-5.3
Linux-Azure-5.8
Linux-Azure-6.11
Linux-Azure-6.17
Linux-Azure-6.2
Linux-Azure-6.5
Linux-Azure-Edge
Linux-Azure-Fde
Linux-Azure-Fde-5.19
Linux-Azure-Fde-6.17
Linux-Azure-Fde-6.2
Linux-Gcp
Linux-Gcp-5.11
Linux-Gcp-5.13
Linux-Gcp-5.19
Linux-Gcp-5.3
Linux-Gcp-5.8
Linux-Gcp-6.11
Linux-Gcp-6.17
Linux-Gcp-6.2
Linux-Gcp-6.5
Linux-Gke
Linux-Gke-4.15
Linux-Gkeop-5.15
Linux-Gke-5.4
Linux-Gkeop
Linux-Hwe
Linux-Hwe-5.11
Linux-Hwe-5.13
Linux-Hwe-5.19
Linux-Hwe-5.8
Linux-Hwe-6.11
Linux-Hwe-6.17
Linux-Hwe-6.2
Linux-Hwe-6.5
Linux-Hwe-Edge
Linux-Intel-5.13
Linux-Intel-Iot-Realtime
Linux-Lowlatency-Hwe-5.19
Linux-Lowlatency-Hwe-6.11
Linux-Lowlatency-Hwe-6.2
Linux-Lowlatency-Hwe-6.5
Linux-Nvidia-6.11
Linux-Nvidia-6.2
Linux-Nvidia-6.5
Linux-Oem
Linux-Oem-5.10
Linux-Oem-5.13
Linux-Oem-5.14
Linux-Oem-5.17
Linux-Oem-5.6
Linux-Oem-6.0
Linux-Oem-6.1
Linux-Oem-6.11
Linux-Oem-6.17
Linux-Oem-6.5
Linux-Oem-6.8
Linux-Oracle
Linux-Oracle-5.0
Linux-Oracle-5.11
Linux-Oracle-5.13
Linux-Oracle-5.3
Linux-Oracle-5.8
Linux-Oracle-6.14
Linux-Oracle-6.17
Linux-Oracle-6.5
Linux-Raspi
Linux-Raspi-Realtime
Linux-Raspi2
Linux-Realtime
Linux-Realtime-6.14
Linux-Riscv
Linux-Riscv-5.11
Linux-Riscv-5.19
Linux-Riscv-5.8
Linux-Riscv-6.14
Linux-Riscv-6.17
Linux-Riscv-6.5
Linux-Starfive-5.19
Linux-Starfive-6.2
Linux-Starfive-6.5
Linux Kernel