Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
Local only (AV:L); triggering needs a contrived oversized dm target (AC:H) and CAP_SYS_ADMIN to create dm targets (PR:H); heap corruption yields full kernel CIA impact, scope unchanged.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
7DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
dm log: fix out-of-bounds write due to region_count overflow
The local variable region_count in create_log_context() is declared as unsigned int (32-bit), but dm_sector_div_up() returns sector_t (64-bit). When a device-mapper target has a sufficiently large ti->len with a small region_size, the division result can exceed UINT_MAX. The truncated value is then used to calculate bitset_size, causing clean_bits, sync_bits, and recovering_bits to be allocated far smaller than needed for the actual number of regions.
Subsequent log operations (log_set_bit, log_clear_bit, log_test_bit) use region indices derived from the full untruncated region space, causing out-of-bounds writes to kernel heap memory allocated by vmalloc.
This can be reproduced by creating a mirror target whose region_count overflows 32 bits:
dmsetup create bigzero --table '0 8589934594 zero' dmsetup create mymirror --table '0 8589934594 mirror \ core 2 2 nosync 2 /dev/mapper/bigzero 0 \ /dev/mapper/bigzero 0'
The status output confirms the truncation (sync_count=1 instead of 4294967297, because 0x100000001 was truncated to 1):
$ dmsetup status mymirror 0 8589934594 mirror 2 254:1 254:1 1/4294967297 ...
This leads to a kernel crash in core_in_sync:
BUG: scheduling while atomic: (udev-worker)/9150/0x00000000 RIP: 0010:core_in_sync+0x14/0x30 [dm_log] CR2: 0000000000000008 Fixing recursive fault but reboot is needed!
Fix by widening the local region_count to sector_t and adding an explicit overflow check before the value is assigned to lc->region_count.
AnalysisAI
Out-of-bounds kernel heap write in the Linux kernel's device-mapper dm-log module (dm_log) lets a privileged local actor corrupt vmalloc-allocated memory by overflowing a 32-bit region_count. In create_log_context(), dm_sector_div_up() returns a 64-bit sector_t that is truncated into an unsigned int, so a dm target with very large ti->len and small region_size under-allocates the clean_bits/sync_bits/recovering_bits bitsets while later log operations index the full untruncated region space. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local privileged access sufficient to create a device-mapper target (dmsetup create), which on stock systems means CAP_SYS_ADMIN. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a real but bounded local issue rather than an internet-facing emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with CAP_SYS_ADMIN inside a privileged container or compromised low-trust service uses dmsetup to create a mirror target over a multi-terabyte zero device with a small region_size, forcing region_count past 2^32 (the public reproducer demonstrates exactly this with an 8589934594-sector table). The truncated bitset allocation then drives out-of-bounds writes into kernel heap during log bit operations, crashing the kernel and potentially enabling controlled heap corruption for privilege escalation or container-to-host escape. … |
| Remediation | Vendor-released patch: upgrade to the fixed stable kernel for your branch - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (or your distribution's backported build; track Red Hat at https://access.redhat.com/security/cve/CVE-2026-53059). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and catalog all Linux systems running device-mapper in your infrastructure (storage servers, LVM deployments, container platforms); contact your Linux distribution vendor for patch availability. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38927
GHSA-vj88-ppr4-hj46