CVE-2026-23085 (GCVE-0-2026-23085)

Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-09 08:38
VLAI?
Title
irqchip/gic-v3-its: Avoid truncating memory addresses
Summary
In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3-its: Avoid truncating memory addresses On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem allocations to be backed by addresses physical memory above the 32-bit address limit, as found while experimenting with larger VMSPLIT configurations. This caused the qemu virt model to crash in the GICv3 driver, which allocates the 'itt' object using GFP_KERNEL. Since all memory below the 4GB physical address limit is in ZONE_DMA in this configuration, kmalloc() defaults to higher addresses for ZONE_NORMAL, and the ITS driver stores the physical address in a 32-bit 'unsigned long' variable. Change the itt_addr variable to the correct phys_addr_t type instead, along with all other variables in this driver that hold a physical address. The gicv5 driver correctly uses u64 variables, while all other irqchip drivers don't call virt_to_phys or similar interfaces. It's expected that other device drivers have similar issues, but fixing this one is sufficient for booting a virtio based guest.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < e332b3b69e5b3acf07204a4b185071bab15c2b88 (git)
Affected: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < e2f9c751f73a2d5bb62d94ab030aec118a811f27 (git)
Affected: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < 85215d633983233809f7d4dad163b953331b8238 (git)
Affected: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < 1b323391560354d8c515de8658b057a1daa82adb (git)
Affected: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < 084ba3b99f2dfd991ce7e84fb17117319ec3cd9f (git)
Affected: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < 03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98 (git)
Affected: cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e , < 8d76a7d89c12d08382b66e2f21f20d0627d14859 (git)
Create a notification for this product.
    Linux Linux Affected: 3.19
Unaffected: 0 , < 3.19 (semver)
Unaffected: 5.10.249 , ≤ 5.10.* (semver)
Unaffected: 5.15.199 , ≤ 5.15.* (semver)
Unaffected: 6.1.162 , ≤ 6.1.* (semver)
Unaffected: 6.6.122 , ≤ 6.6.* (semver)
Unaffected: 6.12.68 , ≤ 6.12.* (semver)
Unaffected: 6.18.8 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/irqchip/irq-gic-v3-its.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e332b3b69e5b3acf07204a4b185071bab15c2b88",
              "status": "affected",
              "version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
              "versionType": "git"
            },
            {
              "lessThan": "e2f9c751f73a2d5bb62d94ab030aec118a811f27",
              "status": "affected",
              "version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
              "versionType": "git"
            },
            {
              "lessThan": "85215d633983233809f7d4dad163b953331b8238",
              "status": "affected",
              "version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
              "versionType": "git"
            },
            {
              "lessThan": "1b323391560354d8c515de8658b057a1daa82adb",
              "status": "affected",
              "version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
              "versionType": "git"
            },
            {
              "lessThan": "084ba3b99f2dfd991ce7e84fb17117319ec3cd9f",
              "status": "affected",
              "version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
              "versionType": "git"
            },
            {
              "lessThan": "03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98",
              "status": "affected",
              "version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
              "versionType": "git"
            },
            {
              "lessThan": "8d76a7d89c12d08382b66e2f21f20d0627d14859",
              "status": "affected",
              "version": "cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/irqchip/irq-gic-v3-its.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.19"
            },
            {
              "lessThan": "3.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.249",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.199",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.162",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.249",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.199",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.162",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.122",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.68",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.8",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Avoid truncating memory addresses\n\nOn 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem\nallocations to be backed by addresses physical memory above the 32-bit\naddress limit, as found while experimenting with larger VMSPLIT\nconfigurations.\n\nThis caused the qemu virt model to crash in the GICv3 driver, which\nallocates the \u0027itt\u0027 object using GFP_KERNEL. Since all memory below\nthe 4GB physical address limit is in ZONE_DMA in this configuration,\nkmalloc() defaults to higher addresses for ZONE_NORMAL, and the\nITS driver stores the physical address in a 32-bit \u0027unsigned long\u0027\nvariable.\n\nChange the itt_addr variable to the correct phys_addr_t type instead,\nalong with all other variables in this driver that hold a physical\naddress.\n\nThe gicv5 driver correctly uses u64 variables, while all other irqchip\ndrivers don\u0027t call virt_to_phys or similar interfaces. It\u0027s expected that\nother device drivers have similar issues, but fixing this one is\nsufficient for booting a virtio based guest."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T08:38:25.150Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e332b3b69e5b3acf07204a4b185071bab15c2b88"
        },
        {
          "url": "https://git.kernel.org/stable/c/e2f9c751f73a2d5bb62d94ab030aec118a811f27"
        },
        {
          "url": "https://git.kernel.org/stable/c/85215d633983233809f7d4dad163b953331b8238"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b323391560354d8c515de8658b057a1daa82adb"
        },
        {
          "url": "https://git.kernel.org/stable/c/084ba3b99f2dfd991ce7e84fb17117319ec3cd9f"
        },
        {
          "url": "https://git.kernel.org/stable/c/03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d76a7d89c12d08382b66e2f21f20d0627d14859"
        }
      ],
      "title": "irqchip/gic-v3-its: Avoid truncating memory addresses",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23085",
    "datePublished": "2026-02-04T16:08:09.368Z",
    "dateReserved": "2026-01-13T15:37:45.961Z",
    "dateUpdated": "2026-02-09T08:38:25.150Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23085\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-04T17:16:19.363\",\"lastModified\":\"2026-03-17T21:10:24.880\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nirqchip/gic-v3-its: Avoid truncating memory addresses\\n\\nOn 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem\\nallocations to be backed by addresses physical memory above the 32-bit\\naddress limit, as found while experimenting with larger VMSPLIT\\nconfigurations.\\n\\nThis caused the qemu virt model to crash in the GICv3 driver, which\\nallocates the \u0027itt\u0027 object using GFP_KERNEL. Since all memory below\\nthe 4GB physical address limit is in ZONE_DMA in this configuration,\\nkmalloc() defaults to higher addresses for ZONE_NORMAL, and the\\nITS driver stores the physical address in a 32-bit \u0027unsigned long\u0027\\nvariable.\\n\\nChange the itt_addr variable to the correct phys_addr_t type instead,\\nalong with all other variables in this driver that hold a physical\\naddress.\\n\\nThe gicv5 driver correctly uses u64 variables, while all other irqchip\\ndrivers don\u0027t call virt_to_phys or similar interfaces. It\u0027s expected that\\nother device drivers have similar issues, but fixing this one is\\nsufficient for booting a virtio based guest.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\\n\\nirqchip/gic-v3-its: Evitar la truncaci\u00f3n de direcciones de memoria\\n\\nEn m\u00e1quinas de 32 bits con CONFIG_ARM_LPAE, es posible que las asignaciones de memoria baja est\u00e9n respaldadas por direcciones de memoria f\u00edsica por encima del l\u00edmite de direcciones de 32 bits, como se descubri\u00f3 al experimentar con configuraciones VMSPLIT m\u00e1s grandes.\\n\\nEsto caus\u00f3 que el modelo virt de qemu colapsara en el controlador GICv3, que asigna el objeto \u0027itt\u0027 usando GFP_KERNEL. Dado que toda la memoria por debajo del l\u00edmite de direcciones f\u00edsicas de 4 GB est\u00e1 en ZONE_DMA en esta configuraci\u00f3n, kmalloc() por defecto utiliza direcciones m\u00e1s altas para ZONE_NORMAL, y el controlador ITS almacena la direcci\u00f3n f\u00edsica en una variable \u0027unsigned long\u0027 de 32 bits.\\n\\nCambiar la variable itt_addr al tipo correcto phys_addr_t en su lugar, junto con todas las dem\u00e1s variables en este controlador que contienen una direcci\u00f3n f\u00edsica.\\n\\nEl controlador gicv5 utiliza correctamente variables u64, mientras que todos los dem\u00e1s controladores irqchip no llaman a virt_to_phys o interfaces similares. Se espera que otros controladores de dispositivos tengan problemas similares, pero solucionar este es suficiente para arrancar un invitado basado en virtio.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.19\",\"versionEndExcluding\":\"5.10.249\",\"matchCriteriaId\":\"B2D727D1-8078-464E-B5EA-519FA082EFD2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.199\",\"matchCriteriaId\":\"A247FBA6-BEB9-484F-B892-DD5517949CCD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.162\",\"matchCriteriaId\":\"6579E0D4-0641-479D-A4C3-0EF618798C55\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.122\",\"matchCriteriaId\":\"8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.68\",\"matchCriteriaId\":\"52F38E19-0FDD-4992-9D6D-D4169D689598\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.18.8\",\"matchCriteriaId\":\"E65C6E79-7EBE-4C77-93F0-818CF5B38F4E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F71D92C0-C023-48BD-B3B6-70B638EEE298\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"13580667-0A98-40CC-B29F-D12790B91BDB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"3EF854A1-ABB1-4E93-BE9A-44569EC76C0D\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/084ba3b99f2dfd991ce7e84fb17117319ec3cd9f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1b323391560354d8c515de8658b057a1daa82adb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/85215d633983233809f7d4dad163b953331b8238\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8d76a7d89c12d08382b66e2f21f20d0627d14859\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e2f9c751f73a2d5bb62d94ab030aec118a811f27\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e332b3b69e5b3acf07204a4b185071bab15c2b88\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.