AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-23067: In the Linux kernel, the following vulnerability has been resolved: iommu/io-pgtable-arm: fix size_t signedness bug in

infovulnerability

security

Source: NVD/CVE DatabaseFebruary 4, 2026CVE-2026-23067

Summary

A Linux kernel bug caused the iommu/io-pgtable-arm component to return a negative error code (-ENOENT) from a function that should return size_t (an unsigned data type, meaning it can only hold positive numbers). This caused the negative number to be interpreted as a huge positive value, which corrupted memory addresses used by the I/O memory management unit and triggered crashes. The bug affected how the kernel unmaps (frees) memory regions used for direct device access.

Solution / Mitigation

Fix by returning 0 instead of -ENOENT when encountering an unmapped PTE (page table entry). The existing WARN_ON already signals the error condition, and returning 0 (meaning 'nothing unmapped') is the correct semantic for a size_t return type. This matches the behavior of other io-pgtable implementations (io-pgtable-arm-v7s, io-pgtable-dart) which return 0 on error conditions.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack SophisticationModerate

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-23067

First tracked: February 15, 2026 at 08:36 PM

Classified by LLM (prompt v3) · confidence: 95%