CVE-2026-23346
In the Linux kernel, the following vulnerability has been resolved: arm64: io: Extract user memory type in ioremap_prot() The only caller of ioremap_prot() outside of the generic ioremap() implementation is generic_access_phys(), which passes a 'pgprot_t' value determined from the user mapping of the target 'pfn' being accessed by the kernel. On arm64, the 'pgprot_t' contains all of the non-address bits from the pte, including the permission controls, and so we end up returning a new user mapping from ioremap_prot() which faults when accessed from the kernel on systems with PAN: | Unable to handle kernel read from unreadable memory at virtual address ffff80008ea89000 | ... | Call trace: | __memcpy_fromio+0x80/0xf8 | generic_access_phys+0x20c/0x2b8 | __access_remote_vm+0x46c/0x5b8 | access_remote_vm+0x18/0x30 | environ_read+0x238/0x3e8 | vfs_read+0xe4/0x2b0 | ksys_read+0xcc/0x178 | __arm64_sys_read+0x4c/0x68 Extract only the memory type from the user 'pgprot_t' in ioremap_prot() and assert that we're being passed a user mapping, to protect us against any changes in future that may require additional handling. To avoid falsely flagging users of ioremap(), provide our own ioremap() macro which simply wraps __ioremap_prot().
EPSS 0.02% · 4.6th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| linux | linux_kernel | 6.0, 6.0, 6.0 |
| Linux | Linux | 893dea9ccd08dab924839354aba21d4ed7a9abc0, 893dea9ccd08dab924839354aba21d4ed7a9abc0, 6.0 |
Exploit Intelligence
- https://git.kernel.org/stable/c/3d64dcc0799c2d6921ba027716b7be721eb19fa8 (circl)
- https://git.kernel.org/stable/c/d1ad8fe7f72d73e1617bac79f2ec7a3bedf47e2a (circl)
- https://git.kernel.org/stable/c/8f098037139b294050053123ab2bc0f819d08932 (circl)
- glcve_test.go (github-poc)
- glcve_test.go (github-poc)
- glcve_test.go (github-poc)
- glcve_test.go (github-poc)
Timeline
- Mar 25, 2026 EPSS Score
- Mar 25, 2026 Coalition ESS Score
- Mar 25, 2026 CVE Published
- Mar 29, 2026 Security Advisory
- Apr 24, 2026 CVE Updated
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
References
- https://git.kernel.org/stable/c/3d64dcc0799c2d6921ba027716b7be721eb19fa8 url
- https://git.kernel.org/stable/c/d1ad8fe7f72d73e1617bac79f2ec7a3bedf47e2a url
- https://git.kernel.org/stable/c/8f098037139b294050053123ab2bc0f819d08932 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-23346 advisory
- https://www.suse.com/support/update/announcement/2026/suse-su-202621930-1 advisory
- https://www.suse.com/support/update/announcement/2026/suse-su-202621841-1 advisory
- https://www.suse.com/support/update/announcement/2026/suse-su-20262238-1 advisory
- https://www.suse.com/support/update/announcement/2026/suse-su-202621974-1 advisory
- https://www.suse.com/support/update/announcement/2026/suse-su-20262217-1 advisory
- https://www.suse.com/support/update/announcement/2026/suse-su-202621979-1 advisory
- https://www.suse.com/support/update/announcement/2026/suse-su-20262149-1 advisory
- https://www.suse.com/support/update/announcement/2026/suse-su-20262158-1 advisory
- https://www.suse.com/support/update/announcement/2026/suse-su-202621973-1 advisory
- https://www.suse.com/support/update/announcement/2026/suse-su-20262189-1 advisory
- https://www.suse.com/support/update/announcement/2026/suse-su-20262159-1 advisory
- https://www.suse.com/support/update/announcement/2026/suse-su-202621942-1 advisory
- https://www.suse.com/support/update/announcement/2026/suse-su-202621964-1 advisory
- https://www.suse.com/support/update/announcement/2026/suse-su-202621939-1 advisory
- https://www.suse.com/support/update/announcement/2026/suse-su-20262202-1 advisory
- https://www.suse.com/support/update/announcement/2026/suse-su-202621910-1 advisory
…and 47 more