CVE-2026-23085 Overview
A memory address truncation vulnerability has been discovered in the Linux kernel's GIC-v3-ITS (Generic Interrupt Controller version 3 - Interrupt Translation Service) driver. On 32-bit machines with CONFIG_ARM_LPAE (Large Physical Address Extension) enabled, lowmem allocations can be backed by physical memory addresses above the 32-bit address limit. This issue was identified while experimenting with larger VMSPLIT configurations and caused crashes in the QEMU virt model when using the GICv3 driver.
Critical Impact
The vulnerability can cause system crashes in virtualized environments when the GICv3 driver attempts to store physical addresses exceeding 32-bit limits in unsigned long variables, potentially leading to denial of service conditions and system instability.
Affected Products
- Linux kernel with GIC-v3-ITS driver on 32-bit ARM systems
- Systems with CONFIG_ARM_LPAE enabled
- QEMU virtualized environments using GICv3
Discovery Timeline
- 2026-02-04 - CVE CVE-2026-23085 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-23085
Vulnerability Analysis
The vulnerability exists in the GIC-v3-ITS interrupt controller driver within the Linux kernel. When operating on 32-bit ARM systems with Large Physical Address Extension (LPAE) support enabled, the kernel can allocate memory from physical addresses above the 4GB boundary. The GICv3 driver allocates the itt (Interrupt Translation Table) object using GFP_KERNEL, which defaults to ZONE_NORMAL for higher addresses since all memory below the 4GB physical address limit resides in ZONE_DMA under this configuration.
The core issue is that the driver stores these physical addresses in 32-bit unsigned long variables, which results in address truncation when physical addresses exceed the 32-bit addressable range. This truncation causes the driver to operate on incorrect memory addresses, leading to system crashes.
Root Cause
The root cause is the improper use of 32-bit unsigned long variables to store physical memory addresses in the GIC-v3-ITS driver. On 32-bit systems with LPAE, physical addresses can be larger than 32 bits, requiring the use of the phys_addr_t type instead. The itt_addr variable and other similar variables in the driver were incorrectly typed, causing address truncation when kmalloc() returns memory from physical addresses above 4GB.
Attack Vector
This is a local denial of service vulnerability that can be triggered under specific system configurations. The attack vector involves:
- Running a 32-bit ARM system with CONFIG_ARM_LPAE enabled
- Using memory configurations where lowmem allocations are backed by physical addresses above 4GB (such as larger VMSPLIT configurations)
- The GICv3 driver allocating the itt object via GFP_KERNEL, receiving an address above the 32-bit limit
- The physical address being truncated when stored in a 32-bit unsigned long variable
- Subsequent operations using the incorrect truncated address, causing system crashes
The vulnerability manifests when the virt_to_phys() function returns addresses that exceed the capacity of the 32-bit variable type. The fix involves changing the itt_addr variable and all other physical address variables in the driver to the correct phys_addr_t type, which properly handles addresses on systems with LPAE support. Technical details can be found in the Linux kernel commit updates.
Detection Methods for CVE-2026-23085
Indicators of Compromise
- Unexpected system crashes in virtualized ARM environments using GICv3
- Kernel panic messages referencing the GIC-v3-ITS driver or interrupt controller subsystem
- Memory access violations in kernel logs related to interrupt translation operations
- System instability on 32-bit ARM systems with LPAE and large memory configurations
Detection Strategies
- Monitor kernel logs for crash reports originating from the irqchip/gic-v3-its driver
- Check system configuration for CONFIG_ARM_LPAE and VMSPLIT settings that enable the vulnerable condition
- Review kernel version against patched releases to determine exposure status
- Implement automated kernel configuration auditing to identify at-risk deployments
Monitoring Recommendations
- Enable enhanced kernel crash dump collection to capture detailed diagnostic information
- Configure alerting on kernel oops or panic events in monitoring systems
- Track memory allocation patterns in virtualized environments for anomalies
- Monitor for repeated GICv3 driver initialization failures
How to Mitigate CVE-2026-23085
Immediate Actions Required
- Update the Linux kernel to a patched version that corrects the variable type for physical address storage
- Review system configurations for 32-bit ARM deployments with LPAE enabled
- Consider temporarily adjusting VMSPLIT configurations to limit memory allocations above 4GB on vulnerable systems
- Prioritize patching for virtualized environments using QEMU with GICv3
Patch Information
Multiple kernel patches have been released to address this vulnerability. The fix involves changing the itt_addr variable to the correct phys_addr_t type, along with all other variables in the GIC-v3-ITS driver that hold physical addresses. The patches are available through the following kernel commits:
Workarounds
- Disable CONFIG_ARM_LPAE if large physical address support is not required for your workload
- Limit physical memory available to the system to below 4GB to prevent allocations in the problematic address range
- Use 64-bit ARM kernels where available, as they correctly handle physical addresses with u64 variables
- For QEMU environments, consider alternative interrupt controller configurations if available
# Check if system is affected by reviewing kernel configuration
zcat /proc/config.gz | grep -E "CONFIG_ARM_LPAE|VMSPLIT"
# Verify current kernel version for patch status
uname -r
# Monitor for GIC-related kernel messages
dmesg | grep -i "gic\|its\|irqchip"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
