Skip to main content

Linux Kernel CVE-2026-52905

| EUVDEUVD-2026-35434 MEDIUM
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-06-09 Linux GHSA-q36j-3hm6-hh2w
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local sysfs write access required (AV:L, PR:L); non-power-of-two value triggers kernel crash with no confidentiality or integrity impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 22:38 vuln.today
CVSS changed
Jul 08, 2026 - 21:52 NVD
5.5 (MEDIUM)
Patch available
Jun 09, 2026 - 15:01 EUVD
CVE Published
Jun 09, 2026 - 12:36 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 09, 2026 - 12:36 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: disallow non-power of two min_region_sz on damon_start()

Commit d8f867fa0825 ("mm/damon: add damon_ctx->min_sz_region") introduced a bug that allows unaligned DAMON region address ranges. Commit c80f46ac228b ("mm/damon/core: disallow non-power of two min_region_sz") fixed it, but only for damon_commit_ctx() use case. Still, DAMON sysfs interface can emit non-power of two min_region_sz via damon_start(). Fix the path by adding the is_power_of_2() check on damon_start().

The issue was discovered by sashiko [1].

AnalysisAI

Denial-of-service in the Linux kernel's DAMON (Data Access MONitor) subsystem allows a local low-privileged user to crash the kernel by supplying a non-power-of-two min_region_sz value through the DAMON sysfs interface and invoking damon_start(). The flaw is an incomplete remediation: commit c80f46ac228b fixed the same class of bug for the damon_commit_ctx() code path but left damon_start() - reachable via DAMON sysfs - without the is_power_of_2() guard. No public exploit exists and EPSS sits at 0.02% (4th percentile), indicating negligible real-world exploitation probability; no CISA KEV listing has been issued.

Technical ContextAI

DAMON is a Linux kernel memory subsystem (mm/damon/) that monitors data access patterns and feeds memory management policies. The root cause is CWE-1284 (Improper Validation of Specified Quantity in Input): the min_sz_region field added by commit d8f867fa0825 requires power-of-two alignment to ensure DAMON region boundaries stay aligned with kernel page granularity. The is_power_of_2() validation was added to damon_commit_ctx() by commit c80f46ac228b but was not applied to damon_start(), which is the code path invoked when a user writes to the DAMON sysfs interface under /sys/kernel/mm/damon/. Providing a non-power-of-two value causes unaligned region address arithmetic inside the kernel, which can produce memory corruption or a kernel panic. Affected CPE: cpe:2.3:a:linux:linux across the 6.18.x and 7.0.x stable series and development builds up to 7.1-rc1.

RemediationAI

The primary fix is to upgrade the Linux kernel to a patched version: 6.18.30 or later for the 6.18 stable series, 7.0.4 or later for the 7.0.x series, or any mainline build at 7.1-rc1 or later. Upstream fix commits are published at https://git.kernel.org/stable/c/95093e5cb4c5b50a5b1a4b79f2942b62744bd66a (6.18 branch), https://git.kernel.org/stable/c/89b6226b6c2a4add3939f361653a47c212d6ab75 (7.0 branch), and https://git.kernel.org/stable/c/1de2db19a6028abe7d905875922faef5b873de67 (mainline). Ubuntu users should apply the kernel packages referenced in USN-8489-1 (https://ubuntu.com/security/notices/USN-8489-1) and USN-8488-1 (https://ubuntu.com/security/notices/USN-8488-1). As a compensating control pending patching, administrators can restrict write access to the DAMON sysfs hierarchy at /sys/kernel/mm/damon/ using filesystem permissions or a MAC policy (e.g., SELinux/AppArmor), preventing low-privileged users from writing arbitrary values - note this disables user-space DAMON configuration for non-root users. Alternatively, if DAMON is unused, rebuilding the kernel with CONFIG_DAMON_SYSFS=n removes the vulnerable interface entirely.

Share

CVE-2026-52905 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy