CVE-2026-23067Reachable Assertion in Linux

CWE-617Reachable AssertionCWE-190Integer Overflow or Wraparound7 documents7 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 94.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
LinuxLinux Kernel
Timeline
PublishedFeb 4

Description

In the Linux kernel, the following vulnerability has been resolved: iommu/io-pgtable-arm: fix size_t signedness bug in unmap path __arm_lpae_unmap() returns size_t but was returning -ENOENT (negative error code) when encountering an unmapped PTE. Since size_t is unsigned, -ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE on 64-bit systems). This corrupted value propagates through the call chain: __arm_lpae_unmap() returns -ENOENT as size_t -> arm_lpae_unmap_pages() retu

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

NVDlinux/linux_kernel6.166.18.8+1
Debianlinux/linux_kernel< 6.18.8-1
CVEListV5linux/linux3318f7b5cefbff96b1bb49584ac38d2c9997a83041ec6988547819756fb65e94fc24f3e0dddf84ac+2

Patches

Patch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

3
CVEList
iommu/io-pgtable-arm: fix size_t signedness bug in unmap path2026-02-04
GHSA
GHSA-vjjp-v767-cx96: In the Linux kernel, the following vulnerability has been resolved: iommu/io-pgtable-arm: fix size_t signedness bug in unmap path __arm_lpae_unmap()2026-02-04
OSV
CVE-2026-23067: In the Linux kernel, the following vulnerability has been resolved: iommu/io-pgtable-arm: fix size_t signedness bug in unmap path __arm_lpae_unmap() r2026-02-04

📋Vendor Advisories

2
Red Hat
kernel: iommu/io-pgtable-arm: fix size_t signedness bug in unmap path2026-02-04
Debian
CVE-2026-23067: linux - In the Linux kernel, the following vulnerability has been resolved: iommu/io-pg...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-23067 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-23067 — Reachable Assertion in Linux | cvebase