Skip to main content

Linux Kernel CVE-2026-46094

| EUVDEUVD-2026-32477 HIGH
Out-of-bounds Read (CWE-125)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vjw4-hv65-7vhq
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
6.1 MEDIUM

Local low-privilege access to mount/parse a crafted ext4 xattr block (AV:L/PR:L); the bounded 3-byte over-read gives limited disclosure (C:L) and kernel crash potential (A:H), with no integrity impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
6.6 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:23 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
7.1 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.1
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access

The bounds check for the next xattr entry in check_xattrs() uses (void *)next >= end, which allows next to point within sizeof(u32) bytes of end. On the next loop iteration, IS_LAST_ENTRY() reads 4 bytes via *(__u32 *)(entry), which can overrun the valid xattr region.

For example, if next lands at end - 1, the check passes since next < end, but IS_LAST_ENTRY() reads 4 bytes starting at end - 1, accessing 3 bytes beyond the valid region.

Fix this by changing the check to (void *)next + sizeof(u32) > end, ensuring there is always enough space for the IS_LAST_ENTRY() read on the subsequent iteration.

AnalysisAI

Out-of-bounds read in the Linux kernel's ext4 filesystem driver allows a local attacker to read up to 3 bytes beyond a valid extended-attribute (xattr) region, potentially leaking adjacent kernel memory or crashing the system. The flaw lives in check_xattrs(), where a loose bounds check on the next xattr entry lets IS_LAST_ENTRY() perform a 4-byte read that overruns the buffer when parsing a crafted or corrupted ext4 xattr block. It is not in CISA KEV and no public exploit identified at time of analysis; EPSS is negligible at 0.02% (5th percentile), consistent with a low-impact local memory-safety bug that has already been patched upstream.

Technical ContextAI

The vulnerability is in ext4's on-disk extended-attribute validation routine check_xattrs() (fs/ext4/xattr.c). Extended attributes are key/value metadata stored either inline in the inode or in a dedicated xattr block. While iterating xattr entries, the loop guards the next entry with '(void *)next >= end', which permits 'next' to sit within sizeof(u32) bytes of the buffer end. On the following iteration the IS_LAST_ENTRY() macro dereferences '*(__u32 *)(entry)' - a 4-byte read - so when 'next' lands at end-1 the check still passes (next < end) but the read accesses 3 bytes past the valid region. This is a classic CWE-125 (Out-of-bounds Read) caused by an off-by-(sizeof(u32)) boundary condition; the fix tightens the test to '(void *)next + sizeof(u32) > end' so a full 4-byte read always fits. The CPE data scopes this to the Linux kernel operating system (cpe:2.3:o:linux:linux_kernel), and the regression was introduced around the ext4 xattr handling present since kernel 6.3.

RemediationAI

Vendor-released patch: upgrade to a fixed stable kernel - Linux 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 (or your distribution's equivalent backport) - referencing the kernel.org commits 520986722dbf, 537e065977022, 5a5314d23876, ab6da97bc310, and eceafc31ea7b. The single-line fix changes the check_xattrs() bounds test, so it backports cleanly; applying your distro's next kernel security update is the correct action. Where you cannot reboot immediately, reduce exposure by not auto-mounting untrusted or removable ext4 media and by restricting which users can mount filesystems (avoid 'user'/'users' fstab options and unprivileged FUSE-style mounting of attacker-supplied images); the trade-off is reduced convenience for removable storage workflows. There is no feature toggle to disable ext4 xattr parsing without disabling xattrs broadly, so patching remains the only complete remediation.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.158 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.144 Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.173 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.144 Affected
Image SLES-Azure-3P Image SLES-Azure-Basic Image SLES-Azure-Standard Image SLES-BYOS-Azure Image SLES-BYOS-EC2 Image SLES-BYOS-GCE Image SLES-EC2 Image SLES-GCE Image SLES-Hardened-BYOS-Azure Image SLES-Hardened-BYOS-EC2 Image SLES-Hardened-BYOS-GCE Affected
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed

Share

CVE-2026-46094 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy