CVE-2026-23346 in Kernel
Zusammenfassung (Englisch)
In the Linux kernel, the following vulnerability has been resolved:
arm64: io: Extract user memory type in ioremap_prot()
The only caller of ioremap_prot() outside of the generic ioremap()
implementation is generic_access_phys(), which passes a 'pgprot_t' value
determined from the user mapping of the target 'pfn' being accessed by
the kernel. On arm64, the 'pgprot_t' contains all of the non-address
bits from the pte, including the permission controls, and so we end up
returning a new user mapping from ioremap_prot() which faults when
accessed from the kernel on systems with PAN:
| Unable to handle kernel read from unreadable memory at virtual address ffff80008ea89000
| ...
| Call trace:
| __memcpy_fromio+0x80/0xf8
| generic_access_phys+0x20c/0x2b8
| __access_remote_vm+0x46c/0x5b8
| access_remote_vm+0x18/0x30
| environ_read+0x238/0x3e8
| vfs_read+0xe4/0x2b0
| ksys_read+0xcc/0x178
| __arm64_sys_read+0x4c/0x68
Extract only the memory type from the user 'pgprot_t' in ioremap_prot()
and assert that we're being passed a user mapping, to protect us against
any changes in future that may require additional handling. To avoid
falsely flagging users of ioremap(), provide our own ioremap() macro
which simply wraps __ioremap_prot().
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Zuständig
Linux
Reservieren
13.01.2026
Veröffentlichung
25.03.2026
Status
Bestätigt
Einträge
VulDB provides additional information and datapoints for this CVE:
| ID | Schwachstelle | CWE | Aus | Mas | CVE |
|---|---|---|---|---|---|
| 353039 | Linux Kernel arm64 ioremap_prot erweiterte Rechte | 275 | Nicht definiert | Offizieller Fix | CVE-2026-23346 |