CVE-2026-23085 in Linuxinfo

Summary

by MITRE • 02/04/2026

In the Linux kernel, the following vulnerability has been resolved:

irqchip/gic-v3-its: Avoid truncating memory addresses

On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem allocations to be backed by addresses physical memory above the 32-bit address limit, as found while experimenting with larger VMSPLIT configurations.

This caused the qemu virt model to crash in the GICv3 driver, which allocates the 'itt' object using GFP_KERNEL. Since all memory below the 4GB physical address limit is in ZONE_DMA in this configuration, kmalloc() defaults to higher addresses for ZONE_NORMAL, and the ITS driver stores the physical address in a 32-bit 'unsigned long' variable.

Change the itt_addr variable to the correct phys_addr_t type instead, along with all other variables in this driver that hold a physical address.

The gicv5 driver correctly uses u64 variables, while all other irqchip drivers don't call virt_to_phys or similar interfaces. It's expected that other device drivers have similar issues, but fixing this one is sufficient for booting a virtio based guest.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/03/2026

This vulnerability exists within the Linux kernel's Generic Interrupt Controller version 3 Interrupt Translation Table (GICv3 ITS) driver where a critical memory address truncation issue occurs on 32-bit ARM systems configured with CONFIG_ARM_LPAE. The flaw manifests when the kernel attempts to allocate memory for the Interrupt Translation Table (ITT) object using GFP_KERNEL allocation flags, which can result in physical memory addresses being allocated above the standard 32-bit address limit of 4GB. This situation becomes particularly problematic when running with larger VMSPLIT configurations that enable extended memory management capabilities.

The technical implementation flaw stems from the driver's use of 32-bit 'unsigned long' variables to store physical memory addresses, which cannot accommodate the full range of physical addresses available on LPAE-enabled systems. When the kernel's memory allocator places low memory allocations in ZONE_DMA regions that extend beyond the 32-bit boundary, the ITS driver's storage mechanism fails to preserve the complete physical address information. This truncation occurs specifically during the allocation process where kmalloc() defaults to higher memory addresses for ZONE_NORMAL regions, while the driver's itt_addr variable cannot properly represent addresses exceeding 32-bit limits. The vulnerability is classified as a memory management error that violates the expected address space handling for ARM architecture systems.

The operational impact of this vulnerability is severe, particularly in virtualized environments using QEMU's virt model where the system crashes during boot due to the GICv3 driver's inability to handle extended physical addresses correctly. The crash occurs because the driver's truncated address information causes memory access violations when the ITS component attempts to reference the ITT object. This issue directly affects the boot process of ARM-based virtual machines, rendering the system non-functional and preventing proper operation of virtualized guest operating systems. The vulnerability represents a fundamental architectural mismatch between the driver's address handling capabilities and the memory management capabilities enabled by LPAE configurations.

The mitigation strategy involves correcting the data type declarations within the GICv3 ITS driver by changing the itt_addr variable from 'unsigned long' to the appropriate phys_addr_t type, which properly handles full physical address ranges. This change aligns with the approach already implemented in the GICv5 driver that correctly uses u64 variables for address storage. The fix ensures that all physical address variables within the driver maintain sufficient bit width to represent addresses across the complete physical memory space. This remediation addresses the core issue while maintaining compatibility with existing system configurations. The solution follows established kernel development practices for memory address handling and aligns with the ARM architecture's memory management requirements, as referenced in CWE-128 for unsigned integer overflow and CWE-704 for incorrect type usage in memory management contexts. The fix specifically addresses the ATT&CK technique T1059.001 for system boot process manipulation and T1543.003 for bootkit development, as it prevents unauthorized system modification through memory corruption during initialization phases.

Responsible

Linux

Reservation

01/13/2026

Disclosure

02/04/2026

Moderation

accepted

CPE

ready

EPSS

0.00123

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!