Skip to main content

Linux Kernel CVE-2026-46294

| EUVDEUVD-2026-35160 HIGH
Out-of-bounds Write (CWE-787)
2026-06-08 Linux GHSA-c9hh-9962-q529
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
3.0 LOW

Device-mapper ioctls require CAP_SYS_ADMIN (PR:H) and a non-default misaligned buffer (AC:H); attacker is already root, so added confidentiality impact is none and integrity/availability impact is low.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L
4.0 AV:L/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 19:10 vuln.today
CVSS changed
Jul 08, 2026 - 19:07 NVD
7.8 (HIGH)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:46 nvd
HIGH 7.8
CVE Published
Jun 08, 2026 - 15:46 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

dm: fix a buffer overflow in ioctl processing

Tony Asleson (using Claude) found a buffer overflow in dm-ioctl in the function retrieve_status:

  1. The code in retrieve_status checks that the output string fits into

the output buffer and writes the output string there

  1. Then, the code aligns the "outptr" variable to the next 8-byte

boundary: outptr = align_ptr(outptr);

  1. The alignment doesn't check overflow, so outptr could point past the

buffer end

  1. The "for" loop is iterated again, it executes:

remaining = len - (outptr - outbuf);

  1. If "outptr" points past "outbuf + len", the arithmetics wraps around

and the variable "remaining" contains unusually high number

  1. With "remaining" being high, the code writes more data past the end of

the buffer

Luckily, this bug has no security implications because:

  1. Only root can issue device mapper ioctls
  2. The commonly used libraries that communicate with device mapper

(libdevmapper and devicemapper-rs) use buffer size that is aligned to 8 bytes - thus, "outptr = align_ptr(outptr)" can't overshoot the input buffer and the bug can't happen accidentally

AnalysisAI

Out-of-bounds kernel memory write in the Linux kernel device-mapper ioctl subsystem (dm-ioctl) affects the retrieve_status function, where an unchecked align_ptr() call on the output pointer can advance it past the end of the caller-supplied buffer, causing a wrapped-around 'remaining' length calculation and subsequent overflow writes. Exploitation requires local privileges to issue device-mapper ioctls (root/CAP_SYS_ADMIN), and there is no public exploit identified at time of analysis; EPSS is negligible at 0.03% (9th percentile). The upstream maintainers explicitly note the flaw has no practical security impact because only root can trigger it and standard libraries (libdevmapper, devicemapper-rs) use 8-byte-aligned buffers that never overshoot.

Technical ContextAI

The device-mapper (dm) subsystem exposes control functionality to userspace through the /dev/mapper/control ioctl interface, used by LVM, cryptsetup, multipath and similar storage tooling. In retrieve_status(), the kernel copies status strings for each dm target into a user-provided output buffer, then calls outptr = align_ptr(outptr) to advance to the next 8-byte boundary before the next loop iteration. This maps to CWE-787 (Out-of-bounds Write): the alignment rounding is performed without validating that the adjusted pointer still lies within outbuf+len. When outptr passes the buffer end, the expression remaining = len - (outptr - outbuf) underflows (unsigned wraparound) to a very large value, defeating the bounds check and permitting writes beyond the buffer. The CPE data identifies the affected component generically as cpe:2.3:a:linux:linux:*, i.e. the mainline Linux kernel's dm-ioctl code path.

RemediationAI

Vendor-released patch: update to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc1 (or later) as appropriate to your branch, then reboot into the patched kernel. On enterprise distributions, apply the vendor's backported kernel package via normal patch management rather than tracking upstream tags. The relevant fix commits are published on the kernel stable tree (e.g. https://git.kernel.org/stable/c/2fa49cc884f6496a915c35621ba4da35649bf159 and https://git.kernel.org/stable/c/c8c5311237448f6ffeecc9aec2362e3692623668). Because exploitation requires root/CAP_SYS_ADMIN, this is low urgency and can follow a routine kernel maintenance cycle; as a compensating control, restrict CAP_SYS_ADMIN and limit which accounts can load device-mapper targets or issue dm ioctls (e.g. avoid granting privileged container access to /dev/mapper/control), noting this may break storage-management tooling such as LVM or cryptsetup that legitimately needs it.

Share

CVE-2026-46294 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy