{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23085", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.961Z", "datePublished": "2026-02-04T16:08:09.368Z", "dateUpdated": "2026-05-11T21:59:42.618Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:59:42.618Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Avoid truncating memory addresses\n\nOn 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem\nallocations to be backed by addresses physical memory above the 32-bit\naddress limit, as found while experimenting with larger VMSPLIT\nconfigurations.\n\nThis caused the qemu virt model to crash in the GICv3 driver, which\nallocates the 'itt' object using GFP_KERNEL. Since all memory below\nthe 4GB physical address limit is in ZONE_DMA in this configuration,\nkmalloc() defaults to higher addresses for ZONE_NORMAL, and the\nITS driver stores the physical address in a 32-bit 'unsigned long'\nvariable.\n\nChange the itt_addr variable to the correct phys_addr_t type instead,\nalong with all other variables in this driver that hold a physical\naddress.\n\nThe gicv5 driver correctly uses u64 variables, while all other irqchip\ndrivers don't call virt_to_phys or similar interfaces. It's expected that\nother device drivers have similar issues, but fixing this one is\nsufficient for booting a virtio based guest."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/irqchip/irq-gic-v3-its.c"], "versions": [{"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e", "lessThan": "e332b3b69e5b3acf07204a4b185071bab15c2b88", "status": "affected", "versionType": "git"}, {"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e", "lessThan": "e2f9c751f73a2d5bb62d94ab030aec118a811f27", "status": "affected", "versionType": "git"}, {"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e", "lessThan": "85215d633983233809f7d4dad163b953331b8238", "status": "affected", "versionType": "git"}, {"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e", "lessThan": "1b323391560354d8c515de8658b057a1daa82adb", "status": "affected", "versionType": "git"}, {"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e", "lessThan": "084ba3b99f2dfd991ce7e84fb17117319ec3cd9f", "status": "affected", "versionType": "git"}, {"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e", "lessThan": "03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98", "status": "affected", "versionType": "git"}, {"version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e", "lessThan": "8d76a7d89c12d08382b66e2f21f20d0627d14859", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/irqchip/irq-gic-v3-its.c"], "versions": [{"version": "3.19", "status": "affected"}, {"version": "0", "lessThan": "3.19", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.249", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.199", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.19", "versionEndExcluding": "5.10.249"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.19", "versionEndExcluding": "5.15.199"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.19", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.19", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.19", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.19", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.19", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e332b3b69e5b3acf07204a4b185071bab15c2b88"}, {"url": "https://git.kernel.org/stable/c/e2f9c751f73a2d5bb62d94ab030aec118a811f27"}, {"url": "https://git.kernel.org/stable/c/85215d633983233809f7d4dad163b953331b8238"}, {"url": "https://git.kernel.org/stable/c/1b323391560354d8c515de8658b057a1daa82adb"}, {"url": "https://git.kernel.org/stable/c/084ba3b99f2dfd991ce7e84fb17117319ec3cd9f"}, {"url": "https://git.kernel.org/stable/c/03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98"}, {"url": "https://git.kernel.org/stable/c/8d76a7d89c12d08382b66e2f21f20d0627d14859"}], "title": "irqchip/gic-v3-its: Avoid truncating memory addresses", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2D727D1-8078-464E-B5EA-519FA082EFD2", "versionEndExcluding": "5.10.249", "versionStartIncluding": "3.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A247FBA6-BEB9-484F-B892-DD5517949CCD", "versionEndExcluding": "5.15.199", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6579E0D4-0641-479D-A4C3-0EF618798C55", "versionEndExcluding": "6.1.162", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F", "versionEndExcluding": "6.6.122", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "52F38E19-0FDD-4992-9D6D-D4169D689598", "versionEndExcluding": "6.12.68", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E65C6E79-7EBE-4C77-93F0-818CF5B38F4E", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Avoid truncating memory addresses\n\nOn 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem\nallocations to be backed by addresses physical memory above the 32-bit\naddress limit, as found while experimenting with larger VMSPLIT\nconfigurations.\n\nThis caused the qemu virt model to crash in the GICv3 driver, which\nallocates the 'itt' object using GFP_KERNEL. Since all memory below\nthe 4GB physical address limit is in ZONE_DMA in this configuration,\nkmalloc() defaults to higher addresses for ZONE_NORMAL, and the\nITS driver stores the physical address in a 32-bit 'unsigned long'\nvariable.\n\nChange the itt_addr variable to the correct phys_addr_t type instead,\nalong with all other variables in this driver that hold a physical\naddress.\n\nThe gicv5 driver correctly uses u64 variables, while all other irqchip\ndrivers don't call virt_to_phys or similar interfaces. It's expected that\nother device drivers have similar issues, but fixing this one is\nsufficient for booting a virtio based guest."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nirqchip/gic-v3-its: Evitar la truncaci\u00f3n de direcciones de memoria\n\nEn m\u00e1quinas de 32 bits con CONFIG_ARM_LPAE, es posible que las asignaciones de memoria baja est\u00e9n respaldadas por direcciones de memoria f\u00edsica por encima del l\u00edmite de direcciones de 32 bits, como se descubri\u00f3 al experimentar con configuraciones VMSPLIT m\u00e1s grandes.\n\nEsto caus\u00f3 que el modelo virt de qemu colapsara en el controlador GICv3, que asigna el objeto 'itt' usando GFP_KERNEL. Dado que toda la memoria por debajo del l\u00edmite de direcciones f\u00edsicas de 4 GB est\u00e1 en ZONE_DMA en esta configuraci\u00f3n, kmalloc() por defecto utiliza direcciones m\u00e1s altas para ZONE_NORMAL, y el controlador ITS almacena la direcci\u00f3n f\u00edsica en una variable 'unsigned long' de 32 bits.\n\nCambiar la variable itt_addr al tipo correcto phys_addr_t en su lugar, junto con todas las dem\u00e1s variables en este controlador que contienen una direcci\u00f3n f\u00edsica.\n\nEl controlador gicv5 utiliza correctamente variables u64, mientras que todos los dem\u00e1s controladores irqchip no llaman a virt_to_phys o interfaces similares. Se espera que otros controladores de dispositivos tengan problemas similares, pero solucionar este es suficiente para arrancar un invitado basado en virtio."}], "id": "CVE-2026-23085", "lastModified": "2026-03-17T21:10:24.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T17:16:19.363", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/084ba3b99f2dfd991ce7e84fb17117319ec3cd9f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1b323391560354d8c515de8658b057a1daa82adb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/85215d633983233809f7d4dad163b953331b8238"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8d76a7d89c12d08382b66e2f21f20d0627d14859"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e2f9c751f73a2d5bb62d94ab030aec118a811f27"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e332b3b69e5b3acf07204a4b185071bab15c2b88"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: irqchip/gic-v3-its: Avoid truncating memory addresses", "id": "2436828", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436828"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23085", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23085\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23085\nhttps://lore.kernel.org/linux-cve-announce/2026020423-CVE-2026-23085-14e2@gregkh/T"], "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-18T18:28:41.578843+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the GICv3 driver fix for 32\u2011bit ARM with CONFIG_ARM_LPAE.", "If an immediate kernel upgrade is not possible, rebuild the kernel applying the patch that changes 'itt_addr' and related variables to the phys_addr_t type.", "As a temporary measure, disable the GICv3 ITS driver or virtualization features that trigger its initialization on the affected systems."], "summary": {"action": "Patch", "impact": "Denial of Service (Kernel Crash)"}, "threat_synthesis": {"affected_systems": "The issue is present in Linux kernel 6.19 release\u2011candidate releases 1 through 6 and in any other builds compiled with CONFIG_ARM_LPAE on 32\u2011bit ARM hardware. CPE entries for the kernel include the generic Linux kernel and the 6.19 rc1\u2011rc6 builds. The vulnerability is triggered when the GICv3 ITS driver is initialized, such as in machines or devices that rely on virtio guest support.", "description_and_impact": "The flaw resides in the Linux kernel\u2019s GICv3 interrupt controller driver for 32\u2011bit ARM systems compiled with CONFIG_ARM_LPAE. A physical address that can be up to 64 bits is stored in a 32\u2011bit unsigned long variable, causing the address to be truncated. When the driver allocates the ITS table with GFP_KERNEL, the truncated address leads the kernel to request memory that lies outside the valid range, resulting in a crash of the system during boot or while running a virtio\u2011based guest. This integer\u2011truncation defect directly compromises system stability and permits an attacker to cause a denial of service by simply rebooting or running the affected kernel.", "risk_and_exploitability": "The CVSS score of 5.5 reflects a moderate severity, while the EPSS score of less than 1\u202f% indicates a very low likelihood of real\u2011world exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the system to boot with the vulnerable kernel, so it is likely limited to a privileged user or an attacker who can replace the kernel image. Given the low exploitation probability and the absence of active exploitation, the overall risk remains moderate but mitigation is recommended."}}}}, "created": "2026-04-18T18:30:07.293519+00:00", "updated": "2026-04-18T18:30:07.293529+00:00", "vendors": [], "weaknesses": ["CWE-194", "CWE-681"]}