CVE-2026-23067
Unknown Unknown - Not Provided
Signedness Bug in Linux iommu/io-pgtable-arm Causes Address Overflow

Publication date: 2026-02-04

Last updated on: 2026-03-13

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: iommu/io-pgtable-arm: fix size_t signedness bug in unmap path __arm_lpae_unmap() returns size_t but was returning -ENOENT (negative error code) when encountering an unmapped PTE. Since size_t is unsigned, -ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE on 64-bit systems). This corrupted value propagates through the call chain: __arm_lpae_unmap() returns -ENOENT as size_t -> arm_lpae_unmap_pages() returns it -> __iommu_unmap() adds it to iova address -> iommu_pgsize() triggers BUG_ON due to corrupted iova This can cause IOVA address overflow in __iommu_unmap() loop and trigger BUG_ON in iommu_pgsize() from invalid address alignment. Fix by returning 0 instead of -ENOENT. The WARN_ON already signals the error condition, and returning 0 (meaning "nothing unmapped") is the correct semantic for size_t return type. This matches the behavior of other io-pgtable implementations (io-pgtable-arm-v7s, io-pgtable-dart) which return 0 on error conditions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-03-13
Generated
2026-05-07
AI Q&A
2026-02-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23067
EUVD
EUVD-2026-5477
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.16 (inc) to 6.18.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a bug in the Linux kernel's iommu/io-pgtable-arm component related to a size_t signedness error in the unmap path.

Specifically, the function __arm_lpae_unmap() returns a size_t value but was incorrectly returning a negative error code (-ENOENT) when it encountered an unmapped page table entry (PTE). Since size_t is unsigned, this negative value becomes a very large positive number on 64-bit systems.

This corrupted large value then propagates through several function calls, causing an IOVA address overflow in __iommu_unmap() and triggering a BUG_ON in iommu_pgsize() due to invalid address alignment.

The fix involved changing the return value to 0 instead of -ENOENT, which correctly indicates 'nothing unmapped' and matches the behavior of similar implementations.


How can this vulnerability impact me? :

This vulnerability can cause an address overflow and trigger a kernel BUG_ON, which may lead to system instability or crashes.

Because the corrupted value causes invalid address alignment checks to fail, it can disrupt normal memory management operations related to IOMMU unmapping.

Such kernel crashes or instability could affect system availability and reliability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by correcting the return value in the Linux kernel's iommu/io-pgtable-arm code to return 0 instead of -ENOENT in the unmap path.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart