Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local kernel heap overflow reachable by a low-privileged user with no interaction; heap corruption plausibly yields full confidentiality, integrity and availability impact, hence high across the board.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
vmalloc: fix buffer overflow in vrealloc_node_align()
Commit 4c5d3365882d ("mm/vmalloc: allow to set node and align in vrealloc") added the ability to force a new allocation if the current pointer is on the wrong NUMA node, or if an alignment constraint is not met, even if the user is shrinking the allocation.
On this path (need_realloc), the code allocates a new object of 'size' bytes and then memcpy()s 'old_size' bytes into it. If the request is to shrink the object (size < old_size), this results in an out-of-bounds write on the new buffer.
Fix this by bounding the copy length by the new allocation size.
AnalysisAI
Out-of-bounds write in the Linux kernel's vmalloc subsystem (vrealloc_node_align()) lets a local low-privileged actor trigger heap memory corruption when a vmalloc-backed object is shrunk while also forcing reallocation for NUMA-node or alignment reasons. Introduced by commit 4c5d3365882d in the 6.18 development series and carried into stable trees, the flaw causes the code to memcpy the old (larger) size into a smaller new buffer. There is no public exploit identified at time of analysis and EPSS is very low (0.02%), reflecting a subsystem-internal bug rather than a broadly reachable network attack surface.
Technical ContextAI
The vulnerability lives in mm/vmalloc.c, the kernel's virtually-contiguous allocator used for large in-kernel buffers. Commit 4c5d3365882d ('mm/vmalloc: allow to set node and align in vrealloc') extended vrealloc_node_align() to force a fresh allocation when the existing pointer sits on the wrong NUMA node or violates an alignment constraint, even during a shrink. On that need_realloc path the code allocates 'size' bytes for the new object but copies 'old_size' bytes from the original, so when size < old_size it writes past the end of the freshly allocated buffer. This is a textbook CWE-787 (Out-of-bounds Write): the copy length was not bounded by the destination size. The fix clamps the memcpy length to the new allocation size. Affected CPE is cpe:2.3:a:linux:linux, i.e. the mainline/stable Linux kernel itself; exposure depends on which kernel callers of vrealloc with node/alignment hints can be reached.
RemediationAI
Vendor-released patch: upgrade to a fixed stable kernel - 6.18.27, 7.0.4, or 7.1-rc2 (or any distribution kernel that incorporates fix commits e9b057a4, 82d1f012, or b281adf7). The upstream fix bounds the memcpy length to the new allocation size in vrealloc_node_align(). Ubuntu users should apply the kernels shipped in USN-8489-1 (https://ubuntu.com/security/notices/USN-8489-1) and USN-8488-1 (https://ubuntu.com/security/notices/USN-8488-1) and reboot, or use livepatch where available to defer the reboot. Because the flaw is reached only through in-kernel vrealloc callers and requires local access, there is no clean configuration-level workaround; interim risk can be reduced by tightening local access and limiting untrusted local users on affected hosts until the kernel is updated, accepting that this does not remove the underlying bug.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35146
GHSA-xwpx-34xj-4qmq