{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23346", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.999Z", "datePublished": "2026-03-25T10:27:33.133Z", "dateUpdated": "2026-03-25T10:27:33.133Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:33.133Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: io: Extract user memory type in ioremap_prot()\n\nThe only caller of ioremap_prot() outside of the generic ioremap()\nimplementation is generic_access_phys(), which passes a 'pgprot_t' value\ndetermined from the user mapping of the target 'pfn' being accessed by\nthe kernel. On arm64, the 'pgprot_t' contains all of the non-address\nbits from the pte, including the permission controls, and so we end up\nreturning a new user mapping from ioremap_prot() which faults when\naccessed from the kernel on systems with PAN:\n\n | Unable to handle kernel read from unreadable memory at virtual address ffff80008ea89000\n | ...\n | Call trace:\n | __memcpy_fromio+0x80/0xf8\n | generic_access_phys+0x20c/0x2b8\n | __access_remote_vm+0x46c/0x5b8\n | access_remote_vm+0x18/0x30\n | environ_read+0x238/0x3e8\n | vfs_read+0xe4/0x2b0\n | ksys_read+0xcc/0x178\n | __arm64_sys_read+0x4c/0x68\n\nExtract only the memory type from the user 'pgprot_t' in ioremap_prot()\nand assert that we're being passed a user mapping, to protect us against\nany changes in future that may require additional handling. To avoid\nfalsely flagging users of ioremap(), provide our own ioremap() macro\nwhich simply wraps __ioremap_prot()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/arm64/include/asm/io.h"], "versions": [{"version": "893dea9ccd08dab924839354aba21d4ed7a9abc0", "lessThan": "3d64dcc0799c2d6921ba027716b7be721eb19fa8", "status": "affected", "versionType": "git"}, {"version": "893dea9ccd08dab924839354aba21d4ed7a9abc0", "lessThan": "d1ad8fe7f72d73e1617bac79f2ec7a3bedf47e2a", "status": "affected", "versionType": "git"}, {"version": "893dea9ccd08dab924839354aba21d4ed7a9abc0", "lessThan": "8f098037139b294050053123ab2bc0f819d08932", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/arm64/include/asm/io.h"], "versions": [{"version": "6.0", "status": "affected"}, {"version": "0", "lessThan": "6.0", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3d64dcc0799c2d6921ba027716b7be721eb19fa8"}, {"url": "https://git.kernel.org/stable/c/d1ad8fe7f72d73e1617bac79f2ec7a3bedf47e2a"}, {"url": "https://git.kernel.org/stable/c/8f098037139b294050053123ab2bc0f819d08932"}], "title": "arm64: io: Extract user memory type in ioremap_prot()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: io: Extract user memory type in ioremap_prot()\n\nThe only caller of ioremap_prot() outside of the generic ioremap()\nimplementation is generic_access_phys(), which passes a 'pgprot_t' value\ndetermined from the user mapping of the target 'pfn' being accessed by\nthe kernel. On arm64, the 'pgprot_t' contains all of the non-address\nbits from the pte, including the permission controls, and so we end up\nreturning a new user mapping from ioremap_prot() which faults when\naccessed from the kernel on systems with PAN:\n\n | Unable to handle kernel read from unreadable memory at virtual address ffff80008ea89000\n | ...\n | Call trace:\n | __memcpy_fromio+0x80/0xf8\n | generic_access_phys+0x20c/0x2b8\n | __access_remote_vm+0x46c/0x5b8\n | access_remote_vm+0x18/0x30\n | environ_read+0x238/0x3e8\n | vfs_read+0xe4/0x2b0\n | ksys_read+0xcc/0x178\n | __arm64_sys_read+0x4c/0x68\n\nExtract only the memory type from the user 'pgprot_t' in ioremap_prot()\nand assert that we're being passed a user mapping, to protect us against\nany changes in future that may require additional handling. To avoid\nfalsely flagging users of ioremap(), provide our own ioremap() macro\nwhich simply wraps __ioremap_prot()."}], "id": "CVE-2026-23346", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:32.767", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3d64dcc0799c2d6921ba027716b7be721eb19fa8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8f098037139b294050053123ab2bc0f819d08932"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d1ad8fe7f72d73e1617bac79f2ec7a3bedf47e2a"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: arm64: io: Extract user memory type in ioremap_prot()", "id": "2451236", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451236"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-843", "details": ["A flaw was found in the Linux kernel, specifically within the arm64 architecture's I/O memory mapping (ioremap_prot) functionality. On systems with Privileged Access Never (PAN) enabled, a local user could exploit this by triggering a scenario where the kernel attempts to access a user memory mapping with incorrect permission controls. This leads to the kernel being unable to read from memory, resulting in a system crash and a denial of service."], "name": "CVE-2026-23346", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23346\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23346\nhttps://lore.kernel.org/linux-cve-announce/2026032535-CVE-2026-23346-faed@gregkh/T"], "statement": "This flaw is specific to ARM64 systems with PAN (Privileged Access Never) enabled. When generic_access_phys() passes user-derived pgprot_t to ioremap_prot(), the permission bits from user mappings are incorrectly preserved, causing kernel access faults when accessing /proc/pid/environ or similar interfaces. The crash is a DoS rather than a security bypass.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T12:12:23.469578+00:00", "value": {"mitigation_remediation": ["Upgrade your kernel to a version that includes the ioremap_prot patch for arm64 (see the referenced upstream commit).", "Verify your current kernel version with \u2018uname -r\u2019 to confirm whether the fix is present.", "If an immediate kernel upgrade is not possible, temporarily disable PAN (e.g., with the arm64_ptr_auth boot option) to avoid the crash.", "Keep an eye on your distribution\u2019s kernel update channel and apply any official patch as soon as it becomes available."], "summary": {"action": "Immediate Patch", "impact": "Kernel Crash / Denial of Service"}, "threat_synthesis": {"affected_systems": "All arm64 Linux kernel builds that lack the upstream patch correcting ioremap_prot and that have PAN enabled are affected. The issue applies to any kernel release prior to the commit referenced in the provided logs, regardless of the distribution, and no specific version boundaries are listed in the input.", "description_and_impact": "The flaw lies in the Linux kernel arm64 implementation of ioremap_prot, where the function incorrectly uses the complete user pgprot_t value to configure protection attributes for a newly mapped I/O region. On systems that enable Pointer Authentication (PAN), this mislabeling of a user memory region causes subsequent kernel reads through generic_access_phys to fault, leading to a kernel oops and a system crash. The result is a denial\u2011of\u2011service condition that can be triggered by code that creates such a mapping, effectively terminating critical system operations.", "risk_and_exploitability": "The vulnerability presents a high severity because it causes a complete system crash. No EPSS score or CISA KEV listing is available, indicating that no public exploits have been reported yet. Exploitation requires that kernel code invoke generic_access_phys with a user\u2011supplied pgprot_t, implying that local privileged execution or a driver that uses the flawed routine is necessary. Disabling PAN prevents the fault and therefore mitigates the risk until a patch is applied."}}}}, "created": "2026-03-25T21:32:08.692265+00:00", "updated": "2026-03-25T21:32:08.692303+00:00", "vendors": [], "weaknesses": ["CWE-744"]}