Linux Kernel up to 6.18.7/6.19-rc6 io-pgtable-arm __arm_lpae_unmap data authenticity

Summaryinfo

A vulnerability, which was classified as critical, has been found in Linux Kernel up to 6.18.7/6.19-rc6. This impacts the function __arm_lpae_unmap of the component io-pgtable-arm. Performing a manipulation results in data authenticity. This vulnerability is identified as CVE-2026-23067. There is not any exploit available. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability classified as critical has been found in Linux Kernel up to 6.18.7/6.19-rc6. This affects the function __arm_lpae_unmap of the component io-pgtable-arm. The manipulation with an unknown input leads to a data authenticity vulnerability. CWE is classifying the issue as CWE-345. The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. The impact remains unknown. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: iommu/io-pgtable-arm: fix size_t signedness bug in unmap path __arm_lpae_unmap() returns size_t but was returning -ENOENT (negative error code) when encountering an unmapped PTE. Since size_t is unsigned, -ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE on 64-bit systems). This corrupted value propagates through the call chain: __arm_lpae_unmap() returns -ENOENT as size_t -> arm_lpae_unmap_pages() returns it -> __iommu_unmap() adds it to iova address -> iommu_pgsize() triggers BUG_ON due to corrupted iova This can cause IOVA address overflow in __iommu_unmap() loop and trigger BUG_ON in iommu_pgsize() from invalid address alignment. Fix by returning 0 instead of -ENOENT. The WARN_ON already signals the error condition, and returning 0 (meaning "nothing unmapped") is the correct semantic for size_t return type. This matches the behavior of other io-pgtable implementations (io-pgtable-arm-v7s, io-pgtable-dart) which return 0 on error conditions.

It is possible to read the advisory at git.kernel.org. This vulnerability is uniquely identified as CVE-2026-23067 since 01/13/2026. Technical details of the vulnerability are known, but there is no available exploit. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 04/30/2026).

The vulnerability scanner Nessus provides a plugin with the ID 297898 (Linux Distros Unpatched Vulnerability : CVE-2026-23067), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.18.8 or 6.19-rc7 eliminates this vulnerability. Applying the patch 41ec6988547819756fb65e94fc24f3e0dddf84ac/374e7af67d9d9d6103c2cfc8eb32abfecf3a2fd8 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (297898) and CERT Bund (WID-SEC-2026-0324). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Affected

• Debian Linux
• Google Cloud Platform
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• IBM QRadar SIEM
• SUSE openSUSE
• RESF Rocky Linux
• Open Source Linux Kernel

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.18.0
• 6.18.1
• 6.18.2
• 6.18.3
• 6.18.4
• 6.18.5
• 6.18.6
• 6.18.7
• 6.19-rc1
• 6.19-rc2
• 6.19-rc3
• 6.19-rc4
• 6.19-rc5
• 6.19-rc6

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion