CVE-2026-23085
Integer Overflow in Linux GICv3 ITS Driver Causes Kernel Crash
Publication date: 2026-02-04
Last updated on: 2026-03-17
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 5.11 (inc) to 5.15.199 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.162 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.122 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.68 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.8 (exc) |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 3.19 (inc) to 5.10.249 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's irqchip/gic-v3-its driver where memory addresses are improperly truncated on 32-bit machines with CONFIG_ARM_LPAE enabled.
Specifically, low memory allocations can be backed by physical memory addresses above the 32-bit address limit, but the driver stores these addresses in a 32-bit unsigned long variable, causing truncation.
This truncation leads to crashes in the QEMU virt model's GICv3 driver because the physical address is not correctly represented.
The fix involves changing the variable holding the physical address to the correct phys_addr_t type, which can handle larger addresses, preventing the truncation and associated crashes.
How can this vulnerability impact me? :
This vulnerability can cause system instability or crashes when running virtualized environments using the QEMU virt model on affected 32-bit ARM systems with CONFIG_ARM_LPAE enabled.
Specifically, the GICv3 interrupt controller driver may crash due to incorrect handling of physical memory addresses, potentially leading to denial of service or system failure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
This vulnerability has been resolved by changing the variable types in the irqchip/gic-v3-its driver to correctly handle physical addresses beyond the 32-bit limit.
To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.
Specifically, ensure that your kernel includes the patch that changes the 'itt_addr' variable and other physical address variables in the driver to use the correct phys_addr_t type instead of a 32-bit unsigned long.