CVE-2026-23067
Unknown Unknown - Not Provided
Signedness Bug in Linux iommu/io-pgtable-arm Causes Address Overflow

Publication date: 2026-02-04

Last updated on: 2026-03-13

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: iommu/io-pgtable-arm: fix size_t signedness bug in unmap path __arm_lpae_unmap() returns size_t but was returning -ENOENT (negative error code) when encountering an unmapped PTE. Since size_t is unsigned, -ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE on 64-bit systems). This corrupted value propagates through the call chain: __arm_lpae_unmap() returns -ENOENT as size_t -> arm_lpae_unmap_pages() returns it -> __iommu_unmap() adds it to iova address -> iommu_pgsize() triggers BUG_ON due to corrupted iova This can cause IOVA address overflow in __iommu_unmap() loop and trigger BUG_ON in iommu_pgsize() from invalid address alignment. Fix by returning 0 instead of -ENOENT. The WARN_ON already signals the error condition, and returning 0 (meaning "nothing unmapped") is the correct semantic for size_t return type. This matches the behavior of other io-pgtable implementations (io-pgtable-arm-v7s, io-pgtable-dart) which return 0 on error conditions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23067
EUVD
EUVD-2026-5477
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.16 (inc) to 6.18.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a bug in the Linux kernel's iommu/io-pgtable-arm component related to a size_t signedness error in the unmap path.

Specifically, the function __arm_lpae_unmap() returns a size_t value but was incorrectly returning a negative error code (-ENOENT) when it encountered an unmapped page table entry (PTE). Since size_t is unsigned, this negative value becomes a very large positive number on 64-bit systems.

This corrupted large value then propagates through several function calls, causing an IOVA address overflow in __iommu_unmap() and triggering a BUG_ON in iommu_pgsize() due to invalid address alignment.

The fix involved changing the return value to 0 instead of -ENOENT, which correctly indicates 'nothing unmapped' and matches the behavior of similar implementations.

Impact Analysis

This vulnerability can cause an address overflow and trigger a kernel BUG_ON, which may lead to system instability or crashes.

Because the corrupted value causes invalid address alignment checks to fail, it can disrupt normal memory management operations related to IOMMU unmapping.

Such kernel crashes or instability could affect system availability and reliability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is fixed by correcting the return value in the Linux kernel's iommu/io-pgtable-arm code to return 0 instead of -ENOENT in the unmap path.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23067. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart