Description
In the Linux kernel, the following vulnerability has been resolved:

irqchip/gic-v3-its: Avoid truncating memory addresses

On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem
allocations to be backed by addresses physical memory above the 32-bit
address limit, as found while experimenting with larger VMSPLIT
configurations.

This caused the qemu virt model to crash in the GICv3 driver, which
allocates the 'itt' object using GFP_KERNEL. Since all memory below
the 4GB physical address limit is in ZONE_DMA in this configuration,
kmalloc() defaults to higher addresses for ZONE_NORMAL, and the
ITS driver stores the physical address in a 32-bit 'unsigned long'
variable.

Change the itt_addr variable to the correct phys_addr_t type instead,
along with all other variables in this driver that hold a physical
address.

The gicv5 driver correctly uses u64 variables, while all other irqchip
drivers don't call virt_to_phys or similar interfaces. It's expected that
other device drivers have similar issues, but fixing this one is
sufficient for booting a virtio based guest.
Published: 2026-02-04
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (Kernel Crash)
Action: Patch
AI Analysis

Impact

The flaw resides in the Linux kernel’s GICv3 interrupt controller driver for 32‑bit ARM systems compiled with CONFIG_ARM_LPAE. A physical address that can be up to 64 bits is stored in a 32‑bit unsigned long variable, causing the address to be truncated. When the driver allocates the ITS table with GFP_KERNEL, the truncated address leads the kernel to request memory that lies outside the valid range, resulting in a crash of the system during boot or while running a virtio‑based guest. This integer‑truncation defect directly compromises system stability and permits an attacker to cause a denial of service by simply rebooting or running the affected kernel.

Affected Systems

The issue is present in Linux kernel 6.19 release‑candidate releases 1 through 6 and in any other builds compiled with CONFIG_ARM_LPAE on 32‑bit ARM hardware. CPE entries for the kernel include the generic Linux kernel and the 6.19 rc1‑rc6 builds. The vulnerability is triggered when the GICv3 ITS driver is initialized, such as in machines or devices that rely on virtio guest support.

Risk and Exploitability

The CVSS score of 5.5 reflects a moderate severity, while the EPSS score of less than 1 % indicates a very low likelihood of real‑world exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the system to boot with the vulnerable kernel, so it is likely limited to a privileged user or an attacker who can replace the kernel image. Given the low exploitation probability and the absence of active exploitation, the overall risk remains moderate but mitigation is recommended.

Generated by OpenCVE AI on April 18, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the GICv3 driver fix for 32‑bit ARM with CONFIG_ARM_LPAE.
  • If an immediate kernel upgrade is not possible, rebuild the kernel applying the patch that changes 'itt_addr' and related variables to the phys_addr_t type.
  • As a temporary measure, disable the GICv3 ITS driver or virtualization features that trigger its initialization on the affected systems.

Generated by OpenCVE AI on April 18, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4475-1 linux security update
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
Ubuntu USN Ubuntu USN USN-8162-1 Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8186-1 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8187-1 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8188-1 Linux kernel (HWE) vulnerabilities
History

Sat, 18 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-194
CWE-681

Tue, 17 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*

Fri, 06 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
References

Thu, 05 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 04 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3-its: Avoid truncating memory addresses On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem allocations to be backed by addresses physical memory above the 32-bit address limit, as found while experimenting with larger VMSPLIT configurations. This caused the qemu virt model to crash in the GICv3 driver, which allocates the 'itt' object using GFP_KERNEL. Since all memory below the 4GB physical address limit is in ZONE_DMA in this configuration, kmalloc() defaults to higher addresses for ZONE_NORMAL, and the ITS driver stores the physical address in a 32-bit 'unsigned long' variable. Change the itt_addr variable to the correct phys_addr_t type instead, along with all other variables in this driver that hold a physical address. The gicv5 driver correctly uses u64 variables, while all other irqchip drivers don't call virt_to_phys or similar interfaces. It's expected that other device drivers have similar issues, but fixing this one is sufficient for booting a virtio based guest.
Title irqchip/gic-v3-its: Avoid truncating memory addresses
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:38:25.150Z

Reserved: 2026-01-13T15:37:45.961Z

Link: CVE-2026-23085

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T17:16:19.363

Modified: 2026-03-17T21:10:24.880

Link: CVE-2026-23085

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23085 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:30:07Z

Weaknesses