CVE-2026-23346
Modified Modified - Updated After Analysis
Kernel Memory Access Fault in arm64 ioremap_prot() Function

Publication date: 2026-03-25

Last updated on: 2026-06-09

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: arm64: io: Extract user memory type in ioremap_prot() The only caller of ioremap_prot() outside of the generic ioremap() implementation is generic_access_phys(), which passes a 'pgprot_t' value determined from the user mapping of the target 'pfn' being accessed by the kernel. On arm64, the 'pgprot_t' contains all of the non-address bits from the pte, including the permission controls, and so we end up returning a new user mapping from ioremap_prot() which faults when accessed from the kernel on systems with PAN: | Unable to handle kernel read from unreadable memory at virtual address ffff80008ea89000 | ... | Call trace: | __memcpy_fromio+0x80/0xf8 | generic_access_phys+0x20c/0x2b8 | __access_remote_vm+0x46c/0x5b8 | access_remote_vm+0x18/0x30 | environ_read+0x238/0x3e8 | vfs_read+0xe4/0x2b0 | ksys_read+0xcc/0x178 | __arm64_sys_read+0x4c/0x68 Extract only the memory type from the user 'pgprot_t' in ioremap_prot() and assert that we're being passed a user mapping, to protect us against any changes in future that may require additional handling. To avoid falsely flagging users of ioremap(), provide our own ioremap() macro which simply wraps __ioremap_prot().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-06-09
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23346
EUVD
EUVD-2026-15313
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.0
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.0.1 (inc) to 6.18.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's arm64 architecture related to the function ioremap_prot(). The issue arises because the function incorrectly handles the 'pgprot_t' value, which contains permission controls and other non-address bits from the page table entry (pte). Specifically, the function returns a new user memory mapping that causes faults when accessed from the kernel on systems with PAN (Privileged Access Never) enabled.

The vulnerability is fixed by extracting only the memory type from the user 'pgprot_t' in ioremap_prot() and ensuring that the mapping passed is indeed a user mapping. This prevents kernel faults caused by improper permission handling and protects against future changes that might require additional handling.

Impact Analysis

This vulnerability can cause the Linux kernel to fault or crash when it attempts to access certain user memory mappings incorrectly on arm64 systems with PAN enabled. This can lead to system instability or denial of service due to kernel read faults from unreadable memory.

Detection Guidance

This vulnerability manifests as a kernel fault when accessing certain memory mappings on arm64 systems with PAN enabled. Specifically, you may observe kernel error messages similar to:

  • Unable to handle kernel read from unreadable memory at virtual address ffff80008ea89000
  • Call trace involving __memcpy_fromio, generic_access_phys, and related functions

To detect this issue, monitor your system logs (e.g., using dmesg or journalctl) for such kernel faults or call traces related to ioremap_prot() or generic_access_phys().

There are no specific commands provided in the available information to directly detect this vulnerability.

Mitigation Strategies

The vulnerability has been resolved by modifying the Linux kernel to correctly extract only the memory type from the user 'pgprot_t' in ioremap_prot() and by asserting that the mapping is a user mapping.

Immediate mitigation steps include updating your Linux kernel to a version that contains this fix.

No other specific mitigation steps or workarounds are provided in the available information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23346. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart