Skip to main content

Linux EUVDEUVD-2026-15312

| CVE-2026-23345 MEDIUM
2026-03-25 Linux GHSA-67rr-wm48-f5vp
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 18:22 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15312
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

arm64: gcs: Do not set PTE_SHARED on GCS mappings if FEAT_LPA2 is enabled

When FEAT_LPA2 is enabled, bits 8-9 of the PTE replace the shareability attribute with bits 50-51 of the output address. The _PAGE_GCS{,_RO} definitions include the PTE_SHARED bits as 0b11 (this matches the other _PAGE_* definitions) but using this macro directly leads to the following panic when enabling GCS on a system/model with LPA2:

Unable to handle kernel paging request at virtual address fffff1ffc32d8008 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 52-bit VAs, pgdp=0000000060f4d000 [fffff1ffc32d8008] pgd=100000006184b003, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP CPU: 0 UID: 0 PID: 513 Comm: gcs_write_fault Tainted: G M 7.0.0-rc1 #1 PREEMPT Tainted: [M]=MACHINE_CHECK Hardware name: QEMU QEMU Virtual Machine, BIOS 2025.02-8+deb13u1 11/08/2025 pstate: 03402005 (nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : zap_huge_pmd+0x168/0x468 lr : zap_huge_pmd+0x2c/0x468 sp : ffff800080beb660 x29: ffff800080beb660 x28: fff00000c2058180 x27: ffff800080beb898 x26: fff00000c2058180 x25: ffff800080beb820 x24: 00c800010b600f41 x23: ffffc1ffc30af1a8 x22: fff00000c2058180 x21: 0000ffff8dc00000 x20: fff00000c2bc6370 x19: ffff800080beb898 x18: ffff800080bebb60 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000007 x14: 000000000000000a x13: 0000aaaacbbbffff x12: 0000000000000000 x11: 0000ffff8ddfffff x10: 00000000000001fe x9 : 0000ffff8ddfffff x8 : 0000ffff8de00000 x7 : 0000ffff8da00000 x6 : fff00000c2bc6370 x5 : 0000ffff8da00000 x4 : 000000010b600000 x3 : ffffc1ffc0000000 x2 : fff00000c2058180 x1 : fffff1ffc32d8000 x0 : 000000c00010b600 Call trace: zap_huge_pmd+0x168/0x468 (P) unmap_page_range+0xd70/0x1560 unmap_single_vma+0x48/0x80 unmap_vmas+0x90/0x180 unmap_region+0x88/0xe4 vms_complete_munmap_vmas+0xf8/0x1e0 do_vmi_align_munmap+0x158/0x180 do_vmi_munmap+0xac/0x160 __vm_munmap+0xb0/0x138 vm_munmap+0x14/0x20 gcs_free+0x70/0x80 mm_release+0x1c/0xc8 exit_mm_release+0x28/0x38 do_exit+0x190/0x8ec do_group_exit+0x34/0x90 get_signal+0x794/0x858 arch_do_signal_or_restart+0x11c/0x3e0 exit_to_user_mode_loop+0x10c/0x17c el0_da+0x8c/0x9c el0t_64_sync_handler+0xd0/0xf0 el0t_64_sync+0x198/0x19c Code: aa1603e2 d34cfc00 cb813001 8b011861 (f9400420)

Similarly to how the kernel handles protection_map[], use a gcs_page_prot variable to store the protection bits and clear PTE_SHARED if LPA2 is enabled.

Also remove the unused PAGE_GCS{,_RO} macros.

AnalysisAI

A memory protection vulnerability exists in the Linux kernel's ARM64 Guarded Control Stack (GCS) implementation when FEAT_LPA2 (52-bit virtual addressing) is enabled. The vulnerability occurs because GCS page table entries incorrectly use the PTE_SHARED bits (0b11) in positions that are repurposed for high-order address bits when LPA2 is active, causing page table corruption and kernel panics during GCS memory operations. This affects all Linux kernel versions with GCS support on ARM64 systems with LPA2 enabled, and while no active exploitation or public POC has been reported, the vulnerability causes immediate kernel crashes when GCS is enabled on affected hardware configurations.

Technical ContextAI

The vulnerability involves the ARM64 architecture's page table entry (PTE) encoding scheme and the interaction between two ARM64 extensions: FEAT_LPA2 (which extends virtual address space to 52 bits) and GCS (Guarded Control Stack, a control-flow integrity feature). In standard ARM64 PTEs, bits 8-9 encode shareability attributes via PTE_SHARED. However, when FEAT_LPA2 is enabled, these bit positions are reused to store bits 50-51 of the output physical address. The affected Linux kernel (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) defines _PAGE_GCS and _PAGE_GCS_RO macros that include PTE_SHARED set to 0b11, matching other page protection macros. When these macros are directly applied to GCS mappings on LPA2-enabled systems, the shareability bits corrupt the high-order physical address bits, causing invalid page table entries and triggering level 0 translation faults. The root cause is a missing conditional that should clear PTE_SHARED when LPA2 is active, similar to how the kernel handles the protection_map[] structure.

RemediationAI

Apply the Linux kernel patches referenced in the stable tree: commit ca1684dd297bf0725c1d487cff80e615497accf6, commit 1df3ef7e612d6ccbae5a48e1121553c47c2123d6, or commit 8a85b3131225a8c8143ba2ae29c0eef8c1f9117f (available at https://git.kernel.org/stable/). These commits modify the GCS page protection implementation to use a gcs_page_prot variable that conditionally clears PTE_SHARED when FEAT_LPA2 is enabled, matching the kernel's protection_map handling pattern. Upgrade to a stable kernel version that includes these fixes (typically available in -stable releases following the fix date). Until patching is complete, GCS can be disabled by compiling the kernel without CONFIG_ARM64_GCS or by avoiding systems with both FEAT_LPA2 and GCS enabled. Systems using older kernel versions on ARM64 hardware without FEAT_LPA2 support are unaffected and do not require immediate patching.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15312 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy