DEBIAN-CVE-2026-23067
- Source
- https://security-tracker.debian.org/tracker/CVE-2026-23067
- Import Source
- https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-23067.json
- JSON Data
- https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-23067
- Upstream
- Published
- 2026-02-04T17:16:17.403Z
- Modified
- 2026-02-13T04:25:32.312818Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: iommu/io-pgtable-arm: fix sizet signedness bug in unmap path _armlpaeunmap() returns sizet but was returning -ENOENT (negative error code) when encountering an unmapped PTE. Since sizet is unsigned, -ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE on 64-bit systems). This corrupted value propagates through the call chain: _armlpaeunmap() returns -ENOENT as sizet -> armlpaeunmappages() returns it -> _iommuunmap() adds it to iova address -> iommupgsize() triggers BUGON due to corrupted iova This can cause IOVA address overflow in _iommuunmap() loop and trigger BUGON in iommupgsize() from invalid address alignment. Fix by returning 0 instead of -ENOENT. The WARNON already signals the error condition, and returning 0 (meaning "nothing unmapped") is the correct semantic for size_t return type. This matches the behavior of other io-pgtable implementations (io-pgtable-arm-v7s, io-pgtable-dart) which return 0 on error conditions.
- References
Affected packages
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.18.8-1