Skip to main content

Linux CVE-2026-23474

| EUVDEUVD-2026-18749 MEDIUM
2026-04-03 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 26, 2026 - 14:37 NVD
5.5 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
75a4d8cfe7784f909b3bd69325abac8e04ecb385,8e2f8020270af7777d49c2e7132260983e4fc566,0b08be5aca212a99f8ba786fee4922feac08002c
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18749
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mtd: Avoid boot crash in RedBoot partition table parser

Given CONFIG_FORTIFY_SOURCE=y and a recent compiler, commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when available") produces the warning below and an oops.

Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000 ------------[ cut here ]------------ WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1 memcmp: detected buffer overflow: 15 byte read of buffer size 14 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE

As Kees said, "'names' is pointing to the final 'namelen' many bytes of the allocation ... 'namelen' could be basically any length at all. This fortify warning looks legit to me -- this code used to be reading beyond the end of the allocation."

Since the size of the dynamic allocation is calculated with strlen() we can use strcmp() instead of memcmp() and remain within bounds.

AnalysisAI

Buffer overflow in Linux kernel's RedBoot partition table parser allows kernel panic during boot when CONFIG_FORTIFY_SOURCE is enabled with recent compilers. The MTD (Memory Technology Devices) subsystem reads beyond allocated buffer boundaries in partition name validation, triggering fortify-source detection and kernel crash (oops). This affects systems using RedBoot bootloader partitioning on embedded devices; exploitation is involuntary (denial of service via boot failure) rather than attacker-driven, with no public exploit code identified.

Technical ContextAI

The vulnerability resides in the RedBoot partition table parser within the Linux kernel's MTD subsystem (drivers/mtd/parsers/parser_redboot.c or equivalent). The root cause is a buffer over-read in boundary checking logic: the code uses memcmp() to validate partition names, but the comparison length (namelen) is derived from dynamic allocation calculations that can exceed the actual allocated buffer size. When CONFIG_FORTIFY_SOURCE=y (kernel hardening feature) and recent GCC/Clang compilers use __builtin_dynamic_object_size(), the fortify library detects a 15-byte read against a 14-byte allocated buffer, triggering a kernel warning and crash. The CWE classification falls under improper boundary validation (CWE-119 or CWE-120 buffer operations). The fix replaces the unsafe memcmp() call with strcmp(), which respects null-terminated string boundaries and eliminates the over-read condition.

RemediationAI

Apply upstream kernel patch from stable branch (commits: 0b08be5aca212a99f8ba786fee4922feac08002c, d8570211a2b1ec886a462daa0be4e9983ac768bb, 2025b2d1f9d5cad6ea6fe85654c6c41297c3130b, c4054ad2d8bff4e8e937cd4a1d1a04c1e8f77a2c, 75a4d8cfe7784f909b3bd69325abac8e04ecb385, or 8e2f8020270af7777d49c2e7132260983e4fc566 from https://git.kernel.org/stable/). The fix replaces memcmp() with strcmp() in the RedBoot partition table parser to respect null-terminated string boundaries. Rebuild kernel with the patched source. For systems unable to rebuild immediately, disable CONFIG_FORTIFY_SOURCE=y (trade-off: lose fortify-source protections) or switch to a compiler version predating __builtin_dynamic_object_size() support (GCC < 11.0, Clang < 14.0), though neither is recommended as a permanent workaround. Verify patch application by confirming MTD parser code no longer contains the vulnerable memcmp call with dynamic length validation on partition names.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.145 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.132 Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.162 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.132 Affected
Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.176 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.125 Affected
Image SLES-Azure-Basic Image SLES-EC2 Image SLES-Hardened-BYOS-Azure Image SLES-SAPCAL-Azure Affected
SUSE Linux Micro 6.2 Fixed

Share

CVE-2026-23474 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy