CVE-2026-23085

MEDIUM EPSS 2.4%
Published Feb 4, 20264mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Feb 4, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3-its: Avoid truncating memory addresses On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem allocations to be backed by addresses physical memory above the 32-bit address limit, as found while experimenting with larger VMSPLIT configurations. This caused the qemu virt model to crash in the GICv3 driver, which allocates the 'itt' object using GFP_KERNEL. Since all memory below the 4GB physical address limit is in ZONE_DMA in this configuration, kmalloc() defaults to higher addresses for ZONE_NORMAL, and the ITS driver stores the physical address in a 32-bit 'unsigned long' variable. Change the itt_addr variable to the correct phys_addr_t type instead, along with all other variables in this driver that hold a physical address. The gicv5 driver correctly uses u64 variables, while all other irqchip drivers don't call virt_to_phys or similar interfaces. It's expected that other device drivers have similar issues, but fixing this one is sufficient for booting a virtio based guest.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 12

VendorProductVersionRange
linuxlinux_kernel*≥3.19  –  <5.10.249
linuxlinux_kernel*≥5.11  –  <5.15.199
linuxlinux_kernel*≥5.16  –  <6.1.162
linuxlinux_kernel*≥6.2  –  <6.6.122
linuxlinux_kernel*≥6.7  –  <6.12.68
linuxlinux_kernel*≥6.13  –  <6.18.8
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/084ba3b99f2dfd991ce7e84fb17117319ec3cd9f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1b323391560354d8c515de8658b057a1daa82adb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/85215d633983233809f7d4dad163b953331b8238
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8d76a7d89c12d08382b66e2f21f20d0627d14859
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e2f9c751f73a2d5bb62d94ab030aec118a811f27
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e332b3b69e5b3acf07204a4b185071bab15c2b88
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/084ba3b99f2dfd991ce7e84fb17117319ec3cd9f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1b323391560354d8c515de8658b057a1daa82adb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/85215d633983233809f7d4dad163b953331b8238
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8d76a7d89c12d08382b66e2f21f20d0627d14859
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e2f9c751f73a2d5bb62d94ab030aec118a811f27
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e332b3b69e5b3acf07204a4b185071bab15c2b88
    Patch