{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23085","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:45.961Z","datePublished":"2026-02-04T16:08:09.368Z","dateUpdated":"2026-05-11T21:59:42.618Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:59:42.618Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Avoid truncating memory addresses\n\nOn 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem\nallocations to be backed by addresses physical memory above the 32-bit\naddress limit, as found while experimenting with larger VMSPLIT\nconfigurations.\n\nThis caused the qemu virt model to crash in the GICv3 driver, which\nallocates the 'itt' object using GFP_KERNEL. Since all memory below\nthe 4GB physical address limit is in ZONE_DMA in this configuration,\nkmalloc() defaults to higher addresses for ZONE_NORMAL, and the\nITS driver stores the physical address in a 32-bit 'unsigned long'\nvariable.\n\nChange the itt_addr variable to the correct phys_addr_t type instead,\nalong with all other variables in this driver that hold a physical\naddress.\n\nThe gicv5 driver correctly uses u64 variables, while all other irqchip\ndrivers don't call virt_to_phys or similar interfaces. It's expected that\nother device drivers have similar issues, but fixing this one is\nsufficient for booting a virtio based guest."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/irqchip/irq-gic-v3-its.c"],"versions":[{"version":"cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e","lessThan":"e332b3b69e5b3acf07204a4b185071bab15c2b88","status":"affected","versionType":"git"},{"version":"cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e","lessThan":"e2f9c751f73a2d5bb62d94ab030aec118a811f27","status":"affected","versionType":"git"},{"version":"cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e","lessThan":"85215d633983233809f7d4dad163b953331b8238","status":"affected","versionType":"git"},{"version":"cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e","lessThan":"1b323391560354d8c515de8658b057a1daa82adb","status":"affected","versionType":"git"},{"version":"cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e","lessThan":"084ba3b99f2dfd991ce7e84fb17117319ec3cd9f","status":"affected","versionType":"git"},{"version":"cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e","lessThan":"03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98","status":"affected","versionType":"git"},{"version":"cc2d3216f53c9fff0030eb71cacc4ce5f39d1d7e","lessThan":"8d76a7d89c12d08382b66e2f21f20d0627d14859","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/irqchip/irq-gic-v3-its.c"],"versions":[{"version":"3.19","status":"affected"},{"version":"0","lessThan":"3.19","status":"unaffected","versionType":"semver"},{"version":"5.10.249","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.199","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.162","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.122","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.68","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.8","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"5.10.249"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"5.15.199"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"6.1.162"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"6.6.122"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"6.12.68"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"6.18.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"6.19"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/e332b3b69e5b3acf07204a4b185071bab15c2b88"},{"url":"https://git.kernel.org/stable/c/e2f9c751f73a2d5bb62d94ab030aec118a811f27"},{"url":"https://git.kernel.org/stable/c/85215d633983233809f7d4dad163b953331b8238"},{"url":"https://git.kernel.org/stable/c/1b323391560354d8c515de8658b057a1daa82adb"},{"url":"https://git.kernel.org/stable/c/084ba3b99f2dfd991ce7e84fb17117319ec3cd9f"},{"url":"https://git.kernel.org/stable/c/03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98"},{"url":"https://git.kernel.org/stable/c/8d76a7d89c12d08382b66e2f21f20d0627d14859"}],"title":"irqchip/gic-v3-its: Avoid truncating memory addresses","x_generator":{"engine":"bippy-1.2.0"}}}}