Description
In the Linux kernel, the following vulnerability has been resolved:

iommu/io-pgtable-arm: fix size_t signedness bug in unmap path

__arm_lpae_unmap() returns size_t but was returning -ENOENT (negative
error code) when encountering an unmapped PTE. Since size_t is unsigned,
-ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE
on 64-bit systems).

This corrupted value propagates through the call chain:
__arm_lpae_unmap() returns -ENOENT as size_t
-> arm_lpae_unmap_pages() returns it
-> __iommu_unmap() adds it to iova address
-> iommu_pgsize() triggers BUG_ON due to corrupted iova

This can cause IOVA address overflow in __iommu_unmap() loop and
trigger BUG_ON in iommu_pgsize() from invalid address alignment.

Fix by returning 0 instead of -ENOENT. The WARN_ON already signals
the error condition, and returning 0 (meaning "nothing unmapped")
is the correct semantic for size_t return type. This matches the
behavior of other io-pgtable implementations (io-pgtable-arm-v7s,
io-pgtable-dart) which return 0 on error conditions.
Published: 2026-02-04
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via kernel crash
Action: Patch
AI Analysis

Impact

The flaw occurs when the ARM LPAE unmap routine returns a signed error value through a size_t return type, causing the negative value to be interpreted as a huge unsigned number. This corrupted value propagates through the call chain, eventually producing a mis‑aligned address that triggers a BUG_ON and leads to a kernel panic. The weakness is identified as CWE‑617: Incorrect Check or Handling of Error Condition. The description does not indicate a pathway to arbitrary code execution or privilege escalation.

Affected Systems

All Linux kernels built from the 6.19 source tree before the patch are vulnerable. This includes the 6.19 release candidates up to rc6 and any distribution kernel that has not integrated the fix. The issue applies to the iommu/io‑pgtable‑arm implementation on those kernels.

Risk and Exploitability

The CVSS score of 5.5 classifies the item as moderate severity while the EPSS score of less than 1 % indicates a very low probability of exploitation. Based on the description, it is inferred that the bug requires interaction with the IOMMU subsystem, which is normally limited to privileged kernel code or device drivers, making remote exploitation unlikely. Nonetheless, any legitimate driver that invokes unmap on an unmapped page table entry can immediately trigger a kernel panic. The vulnerability is not listed in CISA’s KEV catalog, so no known active exploits exist at present.

Generated by OpenCVE AI on April 18, 2026 at 18:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official kernel patch that changes __arm_lpae_unmap to return 0 instead of –ENOENT when unmapping fails.
  • Upgrade the system to a kernel version that includes this fix, such as any release released after the patch commit, or any newer stable release that incorporates the change.
  • Re‑compile and reinstall any custom kernel modules or drivers that interact with the IOMMU subsystem to ensure they link against the updated code.

Generated by OpenCVE AI on April 18, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-617
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*

Thu, 05 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 04 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iommu/io-pgtable-arm: fix size_t signedness bug in unmap path __arm_lpae_unmap() returns size_t but was returning -ENOENT (negative error code) when encountering an unmapped PTE. Since size_t is unsigned, -ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE on 64-bit systems). This corrupted value propagates through the call chain: __arm_lpae_unmap() returns -ENOENT as size_t -> arm_lpae_unmap_pages() returns it -> __iommu_unmap() adds it to iova address -> iommu_pgsize() triggers BUG_ON due to corrupted iova This can cause IOVA address overflow in __iommu_unmap() loop and trigger BUG_ON in iommu_pgsize() from invalid address alignment. Fix by returning 0 instead of -ENOENT. The WARN_ON already signals the error condition, and returning 0 (meaning "nothing unmapped") is the correct semantic for size_t return type. This matches the behavior of other io-pgtable implementations (io-pgtable-arm-v7s, io-pgtable-dart) which return 0 on error conditions.
Title iommu/io-pgtable-arm: fix size_t signedness bug in unmap path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:38:06.354Z

Reserved: 2026-01-13T15:37:45.954Z

Link: CVE-2026-23067

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T17:16:17.403

Modified: 2026-03-13T21:27:45.107

Link: CVE-2026-23067

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23067 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:30:07Z

Weaknesses