Skip to main content

Linux Kernel CVE-2026-46006

| EUVDEUVD-2026-32303 HIGH
Out-of-bounds Write (CWE-787)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-66r8-mwch-7x3r
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:35 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/nouveau: fix u32 overflow in pushbuf reloc bounds check

nouveau_gem_pushbuf_reloc_apply() validates each relocation with

if (r->reloc_bo_offset + 4 > nvbo->bo.base.size)

but reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer literal 4 promotes to unsigned int, so the addition is performed in 32 bits and wraps before the comparison against the size_t bo size.

Cast to u64 so the addition happens in 64-bit arithmetic.

[ Add Fixes: tag. - Danilo ]

AnalysisAI

Local privilege escalation potential in the Linux kernel's Nouveau DRM driver stems from a 32-bit integer overflow in the pushbuf relocation bounds check (nouveau_gem_pushbuf_reloc_apply). Authenticated local users with access to the Nouveau GPU device node can bypass the size validation and trigger out-of-bounds writes against the buffer object, leading to high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but a vendor patch is available across multiple stable kernel branches.

Technical ContextAI

The flaw resides in drivers/gpu/drm/nouveau, the open-source DRM/KMS driver for NVIDIA GPUs, specifically in the pushbuf ioctl path used to submit GPU command buffers with relocations. The check 'r->reloc_bo_offset + 4 > nvbo->bo.base.size' performs the addition in 32-bit arithmetic because reloc_bo_offset is a __u32 (as defined in uapi/drm/nouveau_drm.h) and the literal 4 promotes to unsigned int; values near UINT32_MAX wrap to small numbers and pass the comparison against the size_t buffer object size. This is a classic integer-overflow-leading-to-improper-bounds-check pattern (CWE-190 chained to CWE-787 out-of-bounds write), exposed across the userspace API surface of the Nouveau driver. The fix casts the offset to u64 so the comparison happens in 64-bit arithmetic, preventing the wrap.

RemediationAI

Vendor-released patches are available - upgrade to Linux stable 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 (or any later release on those branches) via your distribution's kernel update channel as soon as it ships the backport (see https://git.kernel.org/stable/c/e441d5c23ec644c8d27593db3b8928e8933512a9 and the related stable commits listed in EUVD-2026-32303). If immediate patching is not possible, a targeted compensating control is to unload and blacklist the nouveau module ('modprobe -r nouveau' plus a blacklist entry in /etc/modprobe.d/) on systems that do not need accelerated NVIDIA graphics, which fully removes the attack surface but breaks GPU acceleration and Wayland/X sessions on those NVIDIA GPUs. Alternatively, restrict access to /dev/dri/render* and /dev/dri/card* (e.g., remove untrusted users from the 'video'/'render' groups, or tighten udev permissions) to limit who can submit pushbufs, at the cost of breaking GPU-using applications for those users; this is a partial mitigation since any user already able to open the device retains exploit access.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46006 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy