CVE-2026-23067

Description

In the Linux kernel, the following vulnerability has been resolved:iommu/io-pgtable-arm: fix size_t signedness bug in unmap path__arm_lpae_unmap() returns size_t but was returning -ENOENT (negativeerror code) when encountering an unmapped PTE. Since size_t is unsigned,-ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFEon 64-bit systems).This corrupted value propagates through the call chain: __arm_lpae_unmap() returns -ENOENT as size_t -> arm_lpae_unmap_pages() returns it -> __iommu_unmap() adds it to iova address -> iommu_pgsize() triggers BUG_ON due to corrupted iovaThis can cause IOVA address overflow in __iommu_unmap() loop andtrigger BUG_ON in iommu_pgsize() from invalid address alignment.Fix by returning 0 instead of -ENOENT. The WARN_ON already signalsthe error condition, and returning 0 (meaning nothing unmapped)is the correct semantic for size_t return type. This matches thebehavior of other io-pgtable implementations (io-pgtable-arm-v7s,io-pgtable-dart) which return 0 on error conditions.

Risk Information

Base Score

5.5

MODERATE

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score

Exploitation Probability

0.019

Associated Vulnerability

No records found

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234