Skip to main content

Linux Kernel CVE-2026-46023

| EUVDEUVD-2026-32404 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-f54w-pgr9-9wv8
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.4 MEDIUM

Device mapper table submission requires CAP_SYS_ADMIN (PR:H); impact is DoS-only kernel crash with no confidentiality or integrity exposure.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
6.0 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 16:08 vuln.today
CVSS changed
Jun 16, 2026 - 16:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

dm mirror: fix integer overflow in create_dirty_log()

The argument count calculation in create_dirty_log() performs *args_used = 2 + param_count before validating against argc. When a user provides a param_count close to UINT_MAX via the device mapper table string, this unsigned addition wraps around to a small value, causing the subsequent argc < *args_used check to be bypassed.

The overflowed param_count is then passed as argc to dm_dirty_log_create(), where it can cause out-of-bounds reads on the argv array.

Fix by comparing param_count against argc - 2 before performing the addition, following the same pattern used by parse_features() in the same file. Since argc >= 2 is already guaranteed, the subtraction is safe.

AnalysisAI

Integer overflow in the Linux kernel's device mapper mirror (dm-mirror) subsystem allows a local attacker with device mapper configuration privileges to crash the kernel via a denial-of-service condition. The flaw resides in create_dirty_log() where an unchecked unsigned addition of 2 + param_count wraps around to a small value when param_count approaches UINT_MAX, bypassing an argc bounds check and triggering out-of-bounds reads in dm_dirty_log_create(). No public exploit code exists and EPSS is exceptionally low at 0.02% (5th percentile); this CVE has not been added to the CISA KEV catalog, indicating no confirmed active exploitation at time of analysis.

Technical ContextAI

The affected component is the dm-mirror driver within the Linux kernel's device mapper (DM) subsystem, which provides disk mirroring functionality. The root cause is classified as CWE-190 (Integer Overflow or Wraparound): in create_dirty_log(), the expression *args_used = 2 + param_count is evaluated in unsigned arithmetic before any bounds validation. A user-controlled param_count near UINT_MAX causes the sum to wrap around to a small integer, allowing the subsequent guard (argc < *args_used) to pass erroneously. The wrapped value is then forwarded as argc to dm_dirty_log_create(), where argv array accesses proceed out-of-bounds. The CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* confirms the scope is the upstream Linux kernel spanning a very long version history originating at 2.6.12. The fix pattern - comparing param_count against argc - 2 before the addition - mirrors the already-correct implementation in parse_features() within the same source file, confirming this was a localized oversight rather than a systemic design flaw.

RemediationAI

The primary remediation is upgrading to a patched Linux kernel release: mainline 7.1-rc1 or later, 7.0.4 or later for the 7.0.x stable series, 6.18.27 or later for 6.18.x, 6.12.86 or later for the 6.12.x LTS series, and 6.6.140 or later for the 6.6.x LTS series. Fix commits are accessible directly at git.kernel.org (see references: 17a08791d428885d00e510864283a7b839792368 and associated stable backports). If immediate patching is not feasible, a practical compensating control is to restrict access to device mapper configuration interfaces by ensuring only privileged users with explicit CAP_SYS_ADMIN capability can submit device mapper table strings - tightening udev rules, container security profiles (seccomp, AppArmor, SELinux), and avoiding granting unprivileged access to /dev/mapper. Disabling the dm-mirror module (modprobe -r dm-mirror) where mirroring is not in use eliminates the attack surface entirely, though this will disable disk mirroring functionality. Downstream distributions (RHEL, Debian, Ubuntu, SUSE) will backport the fix to their own kernel packages; check respective vendor security advisories for distribution-specific patch availability.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46023 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy