Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Device-mapper ioctls require CAP_SYS_ADMIN (PR:H) and a non-default misaligned buffer (AC:H); attacker is already root, so added confidentiality impact is none and integrity/availability impact is low.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
dm: fix a buffer overflow in ioctl processing
Tony Asleson (using Claude) found a buffer overflow in dm-ioctl in the function retrieve_status:
- The code in retrieve_status checks that the output string fits into
the output buffer and writes the output string there
- Then, the code aligns the "outptr" variable to the next 8-byte
boundary: outptr = align_ptr(outptr);
- The alignment doesn't check overflow, so outptr could point past the
buffer end
- The "for" loop is iterated again, it executes:
remaining = len - (outptr - outbuf);
- If "outptr" points past "outbuf + len", the arithmetics wraps around
and the variable "remaining" contains unusually high number
- With "remaining" being high, the code writes more data past the end of
the buffer
Luckily, this bug has no security implications because:
- Only root can issue device mapper ioctls
- The commonly used libraries that communicate with device mapper
(libdevmapper and devicemapper-rs) use buffer size that is aligned to 8 bytes - thus, "outptr = align_ptr(outptr)" can't overshoot the input buffer and the bug can't happen accidentally
AnalysisAI
Out-of-bounds kernel memory write in the Linux kernel device-mapper ioctl subsystem (dm-ioctl) affects the retrieve_status function, where an unchecked align_ptr() call on the output pointer can advance it past the end of the caller-supplied buffer, causing a wrapped-around 'remaining' length calculation and subsequent overflow writes. Exploitation requires local privileges to issue device-mapper ioctls (root/CAP_SYS_ADMIN), and there is no public exploit identified at time of analysis; EPSS is negligible at 0.03% (9th percentile). The upstream maintainers explicitly note the flaw has no practical security impact because only root can trigger it and standard libraries (libdevmapper, devicemapper-rs) use 8-byte-aligned buffers that never overshoot.
Technical ContextAI
The device-mapper (dm) subsystem exposes control functionality to userspace through the /dev/mapper/control ioctl interface, used by LVM, cryptsetup, multipath and similar storage tooling. In retrieve_status(), the kernel copies status strings for each dm target into a user-provided output buffer, then calls outptr = align_ptr(outptr) to advance to the next 8-byte boundary before the next loop iteration. This maps to CWE-787 (Out-of-bounds Write): the alignment rounding is performed without validating that the adjusted pointer still lies within outbuf+len. When outptr passes the buffer end, the expression remaining = len - (outptr - outbuf) underflows (unsigned wraparound) to a very large value, defeating the bounds check and permitting writes beyond the buffer. The CPE data identifies the affected component generically as cpe:2.3:a:linux:linux:*, i.e. the mainline Linux kernel's dm-ioctl code path.
RemediationAI
Vendor-released patch: update to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc1 (or later) as appropriate to your branch, then reboot into the patched kernel. On enterprise distributions, apply the vendor's backported kernel package via normal patch management rather than tracking upstream tags. The relevant fix commits are published on the kernel stable tree (e.g. https://git.kernel.org/stable/c/2fa49cc884f6496a915c35621ba4da35649bf159 and https://git.kernel.org/stable/c/c8c5311237448f6ffeecc9aec2362e3692623668). Because exploitation requires root/CAP_SYS_ADMIN, this is low urgency and can follow a routine kernel maintenance cycle; as a compensating control, restrict CAP_SYS_ADMIN and limit which accounts can load device-mapper targets or issue dm ioctls (e.g. avoid granting privileged container access to /dev/mapper/control), noting this may break storage-management tooling such as LVM or cryptsetup that legitimately needs it.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35160
GHSA-c9hh-9962-q529