Skip to main content

Linux Kernel CVE-2026-46045

| EUVDEUVD-2026-32427 HIGH
Out-of-bounds Write (CWE-787)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-5mq8-r2rm-q3gq
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.7 MEDIUM

Local md-llbitmap code path reachable only by root configuring RAID (PR:H) during a transient rebuild window (AC:H); impact is data corruption and availability loss, not disclosure (C:N).

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
6.4 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 15:07 vuln.today
CVSS changed
Jun 16, 2026 - 15:07 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

md/md-llbitmap: skip reading rdevs that are not in_sync

When reading bitmap pages from member disks, the code iterates through all rdevs and attempts to read from the first available one. However, it only checks for raid_disk assignment and Faulty flag, missing the In_sync flag check.

This can cause bitmap data to be read from spare disks that are still being rebuilt and don't have valid bitmap information yet. Reading stale or uninitialized bitmap data from such disks can lead to incorrect dirty bit tracking, potentially causing data corruption during recovery or normal operation.

Add the In_sync flag check to ensure bitmap pages are only read from fully synchronized member disks that have valid bitmap data.

AnalysisAI

Data corruption in the Linux kernel md-llbitmap RAID subsystem allows stale bitmap pages to be read from spare disks during rebuild. The md-llbitmap code iterated rdevs checking only raid_disk assignment and the Faulty flag, omitting the In_sync flag, so bitmap data could be sourced from a not-yet-synchronized spare. No public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%), but the bug can silently corrupt arrays during normal operation or recovery.

Technical ContextAI

The flaw lives in drivers/md/md-llbitmap.c, part of Linux's software RAID (md) stack that implements the log-less ('llbitmap') variant of the write-intent bitmap. The bitmap records which array regions are 'dirty' and must be resynchronized after an unclean shutdown or device replacement. When reading bitmap pages from member rdevs, the original logic accepted any rdev with raid_disk >= 0 that was not Faulty, but a spare added for rebuild is in exactly that state while its contents - including the on-disk bitmap region - are still uninitialized or stale. The CWE-787 (out-of-bounds write) and 'Memory Corruption / Buffer Overflow' tags supplied with this CVE are misleading: the actual root cause is a missing precondition check (closer to CWE-754 / improper validation of state) that leads to logical data corruption rather than a memory-safety overflow. The fix is to require the In_sync flag, ensuring only fully synchronized members supply bitmap data. Affected CPE is cpe:2.3:o:linux:linux_kernel:*.

RemediationAI

Upstream fix available (commits 3115fa2f62970d98f2a639145fb8e2767db8bbf9, 7701e68b5072faa03a8f30b4081dc16df9092381, 98623c7e2a51eab1833c8628d33fa9c6ef3ce325 on git.kernel.org/stable); vendor-released patched stable versions are 6.18.27 and 7.0.4, with the change landing in mainline 7.1-rc1, so upgrade to one of those or the equivalent distribution kernel. Until you can reboot into a patched kernel, the practical workaround is to avoid the trigger: do not add spares or initiate rebuild/reshape operations on md arrays that use the llbitmap variant; if you must add a replacement disk, take a verified backup first and quiesce I/O during the rebuild - trade-off is reduced availability and slower recovery. If your workload does not require llbitmap, recreating the array's bitmap with the legacy internal bitmap (mdadm --grow --bitmap=internal) sidesteps the affected code path entirely at the cost of losing llbitmap's performance characteristics.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46045 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy