Skip to main content

Linux EUVDEUVD-2026-15313

| CVE-2026-23346 MEDIUM
2026-03-25 Linux GHSA-xqp7-9gqv-6978
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 18:22 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15313
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

arm64: io: Extract user memory type in ioremap_prot()

The only caller of ioremap_prot() outside of the generic ioremap() implementation is generic_access_phys(), which passes a 'pgprot_t' value determined from the user mapping of the target 'pfn' being accessed by the kernel. On arm64, the 'pgprot_t' contains all of the non-address bits from the pte, including the permission controls, and so we end up returning a new user mapping from ioremap_prot() which faults when accessed from the kernel on systems with PAN:

| Unable to handle kernel read from unreadable memory at virtual address ffff80008ea89000 | ... | Call trace: | __memcpy_fromio+0x80/0xf8 | generic_access_phys+0x20c/0x2b8 | __access_remote_vm+0x46c/0x5b8 | access_remote_vm+0x18/0x30 | environ_read+0x238/0x3e8 | vfs_read+0xe4/0x2b0 | ksys_read+0xcc/0x178 | __arm64_sys_read+0x4c/0x68 Extract only the memory type from the user 'pgprot_t' in ioremap_prot() and assert that we're being passed a user mapping, to protect us against any changes in future that may require additional handling. To avoid falsely flagging users of ioremap(), provide our own ioremap() macro which simply wraps __ioremap_prot().

AnalysisAI

A memory access protection bypass vulnerability exists in the Linux kernel's ARM64 ioremap_prot() function where user-space page protection attributes are improperly propagated to kernel-space I/O remapping, bypassing Privileged Access Never (PAN) protections and enabling information disclosure. This affects all Linux kernel versions on ARM64 systems with PAN enabled. An attacker with local access can trigger memory access faults and potentially read sensitive kernel memory through operations like accessing /proc/[pid]/environ on vulnerable systems.

Technical ContextAI

The vulnerability resides in the ARM64 architecture-specific I/O memory remapping implementation within the Linux kernel (affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*). The root cause involves improper handling of page table entry (pte) attributes in ioremap_prot(), which is called by generic_access_phys() when the kernel needs to access physical memory via user-space virtual address mappings. On ARM64, the pgprot_t structure contains permission control bits intended for user-space access, and when these are directly used for kernel I/O remapping, they create kernel-accessible mappings with user-space permission restrictions. This violates the ARM64 PAN protection mechanism, which enforces kernel code cannot directly access user memory. The vulnerability class relates to improper permission/attribute handling during memory mapping transitions between user and kernel contexts.

RemediationAI

Update the Linux kernel to a version incorporating the security patches referenced in the stable kernel repository (commits 3d64dcc0799c2d6921ba027716b7be721eb19fa8, d1ad8fe7f72d73e1617bac79f2ec7a3bedf47e2a, or 8f098037139b294050053123ab2bc0f819d08932). Most distributions have backported these fixes into stable release branches: RHEL should apply the latest kernel-core update, Ubuntu users should install the latest linux-image package for their kernel series, and Debian users should upgrade to the latest stable kernel. Until patching is possible, restrict local user access on ARM64 systems through privilege separation and disable unnecessary access to /proc/[pid]/ file contents via securityfs restrictions or AppArmor/SELinux profiles. Verify PAN is enabled in your kernel configuration (CONFIG_ARM64_PAN) and ensure you are running an updated, patched kernel version.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15313 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy