Skip to main content

Linux Kernel CVE-2026-46115

| EUVDEUVD-2026-32874 CRITICAL
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-3588-2x8w-w62r
Critical
Disputed · 9.8 Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:50 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
9.8 (CRITICAL)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

block: add pgmap check to biovec_phys_mergeable

biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.

When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().

Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.

AnalysisAI

Incorrect bvec coalescing in the Linux kernel's block layer (biovec_phys_mergeable) can merge physically contiguous bio_vec segments that belong to different zone-device dev_pagemaps, corrupting the ability to recover the correct pgmap via page_pgmap() for the merged segment. The flaw affects systems using zone device memory registered in multiple chunks (e.g., DAX/persistent memory or GPU/accelerator memory backends) and was fixed upstream; no public exploit is identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile).

Technical ContextAI

The defect lives in block/bio.c / block/blk-merge.c logic where biovec_phys_mergeable() decides whether two bio_vec entries that are physically adjacent can be coalesced into a single segment for request merging, DMA mapping, and integrity merge paths. Zone device memory (ZONE_DEVICE), used by subsystems like DAX, persistent memory (nvdimm/pmem), HMM, and device-private memory for GPUs/accelerators, can be registered as multiple chunks, each owning a separate struct dev_pagemap. While iov_iter_extract_bvecs() correctly breaks at pgmap boundaries, the outer loop in bio_iov_iter_get_pages() can still append bvecs from a different pgmap into the same bio; once merged, page_pgmap() can no longer disambiguate the originating pgmap for the coalesced range. The fix introduces a zone_device_pages_have_same_pgmap() check so segments backed by different pgmaps are not collapsed. No CWE is assigned, but the class is best described as incorrect identifier/state handling on a memory region boundary (akin to CWE-682/CWE-662 family).

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc1 (or any later release on those stable branches) per the upstream stable trees at https://git.kernel.org/stable/c/f632dab4b841554cd6416058c61886d7db176581, https://git.kernel.org/stable/c/3d2ecbd444b01d6500671d1a582b7393943cf539, https://git.kernel.org/stable/c/f17d521075325b8afc42d1baa1c28a5e9aca111f, https://git.kernel.org/stable/c/13920e4b7b784b40cf4519ff1f0f3e513476a499, and https://git.kernel.org/stable/c/a7f3aa8c9df3905fe820ae36b67ba56b81587574. Distribution kernels (RHEL, Ubuntu, SUSE, Debian, Amazon Linux) should pick up the backport in their next stable refresh; track distro CVE trackers and reboot affected hosts. As a compensating control until the patched kernel is deployed, avoid exposing ZONE_DEVICE memory to local I/O paths: do not mount filesystems in DAX mode on pmem/CXL devices that span multiple pgmaps, and avoid passing GPU/accelerator device-private memory through O_DIRECT or io_uring fixed-buffer I/O - the trade-off is loss of DAX performance and zero-copy GPU I/O on those hosts. Restricting local user access to block devices backed by zone-device memory (chmod/udev rules, container device cgroups) further reduces who can trigger the merge path.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46115 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy