CVE-2026-23346 Overview
A vulnerability has been resolved in the Linux kernel affecting the arm64 architecture's I/O memory mapping implementation. The issue exists in the ioremap_prot() function, which is called by generic_access_phys() to access physical memory through user mappings. On arm64 systems, the pgprot_t value passed to this function contains all non-address bits from the page table entry (PTE), including permission controls. This results in the creation of a new user mapping that causes kernel faults when accessed on systems with Privileged Access Never (PAN) enabled.
Critical Impact
Systems running affected Linux kernel versions on arm64 architecture may experience kernel panics or denial of service when attempting to read from memory regions that should be kernel-accessible, particularly affecting operations like environ_read and similar virtual file system operations.
Affected Products
- Linux kernel (arm64 architecture)
- Systems with PAN (Privileged Access Never) enabled
- Kernel configurations using generic_access_phys() for physical memory access
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23346 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23346
Vulnerability Analysis
The vulnerability stems from improper handling of page protection attributes in the arm64 ioremap_prot() implementation. When generic_access_phys() attempts to access physical memory, it passes a pgprot_t value derived from the user mapping of the target page frame number (PFN). On arm64, this protection value contains the complete set of non-address bits from the PTE, including user/kernel permission flags.
The consequence is that ioremap_prot() returns a mapping with user-space permissions, which then triggers a fault when the kernel attempts to access this memory on systems where PAN is enabled. PAN is a security feature that prevents the kernel from inadvertently accessing user-space memory, and in this case, it correctly identifies the improperly configured mapping as a user mapping.
The kernel panic manifests with the error "Unable to handle kernel read from unreadable memory" and produces a call trace showing the failure path through __memcpy_fromio, generic_access_phys, and various file system operations.
Root Cause
The root cause is that ioremap_prot() on arm64 does not properly extract only the memory type information from the incoming pgprot_t value. Instead, it preserves all protection bits, including user-space permission controls that conflict with kernel memory access requirements when PAN is active.
Attack Vector
This vulnerability is triggered through normal kernel operations rather than external attack vectors. When processes attempt to read from /proc/[pid]/environ or similar operations that require physical memory access through access_remote_vm(), the kernel faults occur. The vulnerable code path is:
- User-space initiates a read operation (e.g., ksys_read)
- The kernel calls environ_read which needs to access remote VM
- access_remote_vm calls generic_access_phys with user-derived protection attributes
- ioremap_prot creates an improperly configured mapping
- __memcpy_fromio attempts to read from the mapping
- PAN triggers a fault due to the user-space permission bits
The fix extracts only the memory type from the user pgprot_t in ioremap_prot() and adds an assertion to verify that a user mapping is being passed. Additionally, a new ioremap() macro is provided that wraps __ioremap_prot() to avoid incorrectly flagging legitimate ioremap users.
Detection Methods for CVE-2026-23346
Indicators of Compromise
- Kernel panic messages containing "Unable to handle kernel read from unreadable memory"
- System log entries showing call traces through __memcpy_fromio and generic_access_phys
- Unexpected system crashes when reading from /proc/[pid]/environ or similar proc filesystem entries
- Denial of service conditions on arm64 systems with PAN enabled
Detection Strategies
- Monitor kernel logs for "Unable to handle kernel read from unreadable memory" error messages
- Implement system stability monitoring for unexpected reboots or kernel panics on arm64 systems
- Review dmesg output for call traces involving ioremap_prot and generic_access_phys
- Deploy kernel crash dump analysis tools to identify this specific failure pattern
Monitoring Recommendations
- Enable kernel crash dump collection to capture diagnostic information when panics occur
- Configure centralized logging to aggregate kernel messages from arm64 systems
- Set up alerting for kernel oops or panic events across affected infrastructure
- Monitor process access patterns to proc filesystem entries on vulnerable systems
How to Mitigate CVE-2026-23346
Immediate Actions Required
- Apply the latest kernel patches from upstream Linux kernel stable branches
- Schedule maintenance windows for kernel updates on production arm64 systems
- Review system logs for any evidence of this vulnerability being triggered
- Temporarily disable applications that heavily access /proc/[pid]/environ if patches cannot be immediately applied
Patch Information
The Linux kernel developers have released patches to address this vulnerability. The fix modifies ioremap_prot() to extract only the memory type from the user pgprot_t value and adds validation to ensure user mappings are being processed correctly. Updated kernel versions are available through the following commits:
Workarounds
- If immediate patching is not possible, consider temporarily disabling PAN on affected systems (note: this reduces overall security posture)
- Limit access to proc filesystem entries that trigger the vulnerable code path
- Implement access controls to restrict which processes can read /proc/[pid]/environ
- Consider migrating critical workloads to patched systems while updates are being deployed
# Check current kernel version
uname -r
# Verify arm64 architecture
uname -m
# Review kernel logs for related errors
dmesg | grep -E "(ioremap_prot|generic_access_phys|unreadable memory)"
# Apply kernel update (example for Debian/Ubuntu-based systems)
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
