{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-22T11:31:27.133","vulnerabilities":[{"cve":{"id":"CVE-2026-23067","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-02-04T17:16:17.403","lastModified":"2026-03-13T21:27:45.107","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\niommu/io-pgtable-arm: fix size_t signedness bug in unmap path\n\n__arm_lpae_unmap() returns size_t but was returning -ENOENT (negative\nerror code) when encountering an unmapped PTE. Since size_t is unsigned,\n-ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE\non 64-bit systems).\n\nThis corrupted value propagates through the call chain:\n  __arm_lpae_unmap() returns -ENOENT as size_t\n  -> arm_lpae_unmap_pages() returns it\n  -> __iommu_unmap() adds it to iova address\n  -> iommu_pgsize() triggers BUG_ON due to corrupted iova\n\nThis can cause IOVA address overflow in __iommu_unmap() loop and\ntrigger BUG_ON in iommu_pgsize() from invalid address alignment.\n\nFix by returning 0 instead of -ENOENT. The WARN_ON already signals\nthe error condition, and returning 0 (meaning \"nothing unmapped\")\nis the correct semantic for size_t return type. This matches the\nbehavior of other io-pgtable implementations (io-pgtable-arm-v7s,\nio-pgtable-dart) which return 0 on error conditions."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\niommu/io-pgtable-arm: corrección de error de signo de size_t en la ruta de desmapeo\n\n__arm_lpae_unmap() devuelve size_t pero estaba devolviendo -ENOENT (código de error negativo) al encontrar una PTE no mapeada. Dado que size_t no tiene signo, -ENOENT (típicamente -2) se convierte en un valor positivo enorme (0xFFFFFFFFFFFFFFFE en sistemas de 64 bits).\n\nEste valor corrupto se propaga a través de la cadena de llamadas:\n  __arm_lpae_unmap() devuelve -ENOENT como size_t\n  -> arm_lpae_unmap_pages() lo devuelve\n  -> __iommu_unmap() lo añade a la dirección iova\n  -> iommu_pgsize() activa BUG_ON debido a iova corrupta\n\nEsto puede causar un desbordamiento de dirección IOVA en el bucle de __iommu_unmap() y activar BUG_ON en iommu_pgsize() por una alineación de dirección inválida.\n\nSe corrige devolviendo 0 en lugar de -ENOENT. El WARN_ON ya señala la condición de error, y devolver 0 (que significa 'nada desmapeado') es la semántica correcta para el tipo de retorno size_t. Esto coincide con el comportamiento de otras implementaciones de io-pgtable (io-pgtable-arm-v7s, io-pgtable-dart) que devuelven 0 en condiciones de error."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-617"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.18.8","matchCriteriaId":"467E1359-7F6A-4790-AC45-172024944460"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*","matchCriteriaId":"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"F71D92C0-C023-48BD-B3B6-70B638EEE298"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*","matchCriteriaId":"13580667-0A98-40CC-B29F-D12790B91BDB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*","matchCriteriaId":"CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*","matchCriteriaId":"3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/374e7af67d9d9d6103c2cfc8eb32abfecf3a2fd8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/41ec6988547819756fb65e94fc24f3e0dddf84ac","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}