Incorrect Conversion between Numeric Types Affecting rv package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RHEL10-RV-15217173
- published5 Feb 2026
- disclosed4 Feb 2026
Introduced: 4 Feb 2026
CVE-2026-23085 (opens in a new tab)How to fix?
There is no fixed version for RHEL:10 rv.
NVD Description
Note: Versions mentioned in the description apply only to the upstream rv package and not the rv package as distributed by RHEL.
See How to fix? for RHEL:10 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
irqchip/gic-v3-its: Avoid truncating memory addresses
On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem allocations to be backed by addresses physical memory above the 32-bit address limit, as found while experimenting with larger VMSPLIT configurations.
This caused the qemu virt model to crash in the GICv3 driver, which allocates the 'itt' object using GFP_KERNEL. Since all memory below the 4GB physical address limit is in ZONE_DMA in this configuration, kmalloc() defaults to higher addresses for ZONE_NORMAL, and the ITS driver stores the physical address in a 32-bit 'unsigned long' variable.
Change the itt_addr variable to the correct phys_addr_t type instead, along with all other variables in this driver that hold a physical address.
The gicv5 driver correctly uses u64 variables, while all other irqchip drivers don't call virt_to_phys or similar interfaces. It's expected that other device drivers have similar issues, but fixing this one is sufficient for booting a virtio based guest.
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2436828
- https://access.redhat.com/security/cve/CVE-2026-23085
- https://git.kernel.org/stable/c/03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98
- https://git.kernel.org/stable/c/084ba3b99f2dfd991ce7e84fb17117319ec3cd9f
- https://git.kernel.org/stable/c/1b323391560354d8c515de8658b057a1daa82adb
- https://git.kernel.org/stable/c/8d76a7d89c12d08382b66e2f21f20d0627d14859
- https://git.kernel.org/stable/c/85215d633983233809f7d4dad163b953331b8238
- https://git.kernel.org/stable/c/e2f9c751f73a2d5bb62d94ab030aec118a811f27
- https://git.kernel.org/stable/c/e332b3b69e5b3acf07204a4b185071bab15c2b88