Skip to main content

Linux Kernel EUVDEUVD-2026-32286

| CVE-2026-45990 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-q4r9-vxp8-26x5
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.1 MEDIUM

Local low-privilege trigger; out-of-bounds kernel heap write warrants I:L over I:N; A:H for kernel panic.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 13:54 vuln.today
CVSS changed
Jun 16, 2026 - 13:52 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

slub: fix data loss and overflow in krealloc()

Commit 2cd8231796b5 ("mm/slub: allow to set node and align in k[v]realloc") introduced the ability to force a reallocation if the original object does not satisfy new alignment or NUMA node, even when the object is being shrunk.

This introduced two bugs in the reallocation fallback path:

  1. Data loss during NUMA migration: The jump to 'alloc_new' happens

before 'ks' and 'orig_size' are initialized. As a result, the memcpy() in the 'alloc_new' block would copy 0 bytes into the new allocation.

  1. Buffer overflow during shrinking: When shrinking an object while

forcing a new alignment, 'new_size' is smaller than the old size. However, the memcpy() used the old size ('orig_size ?: ks'), leading to an out-of-bounds write.

The same overflow bug exists in the kvrealloc() fallback path, where the old bucket size ksize(p) is copied into the new buffer without being bounded by the new size.

A simple reproducer:

// e.g. add to lkdtm as KREALLOC_SHRINK_OVERFLOW while (1) { void *p = kmalloc(128, GFP_KERNEL); p = krealloc_node_align(p, 64, 256, GFP_KERNEL, NUMA_NO_NODE); kfree(p); }

demonstrates the issue:

============== BUG: KFENCE: out-of-bounds write in memcpy_orig+0x68/0x130

Out-of-bounds write at 0xffff8883ad757038 (120B right of kfence-#47): memcpy_orig+0x68/0x130 krealloc_node_align_noprof+0x1c8/0x340 lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm] lkdtm_do_action+0x3a/0x60 [lkdtm] ...

kfence-#47: 0xffff8883ad756fc0-0xffff8883ad756fff, size=64, cache=kmalloc-64

allocated by task 316 on cpu 7 at 97.680481s (0.021813s ago): krealloc_node_align_noprof+0x19c/0x340 lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm] lkdtm_do_action+0x3a/0x60 [lkdtm] ... ==============

Fix it by moving the old size calculation to the top of __do_krealloc() and bounding all copy lengths by the new allocation size.

AnalysisAI

Out-of-bounds write and data-loss bugs in the Linux kernel SLUB allocator's krealloc() function affect kernels incorporating commit 2cd8231796b5, which introduced NUMA node and alignment forcing to k[v]realloc(). A local attacker with low privileges who can trigger the krealloc_node_align() or kvrealloc() reallocation fallback path - specifically when shrinking an allocation while simultaneously forcing a new alignment or NUMA node - can cause kernel heap memory corruption leading to a system panic or silent heap object corruption. No public exploit exists beyond the lkdtm reproducer in the CVE description; EPSS stands at the 4th percentile and the vulnerability is not in CISA KEV. Vendor-released patches are confirmed available in Linux 6.18.27, 7.0.4, and 7.1-rc1.

Technical ContextAI

The vulnerability resides in the Linux kernel SLUB allocator (CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*), specifically in __do_krealloc() and kvrealloc(). Commit 2cd8231796b5 (mm/slub: allow to set node and align in k[v]realloc) added forced reallocation when an existing slab object fails to meet new alignment or NUMA node constraints, even during a shrink operation. This introduced two distinct bugs in the reallocation fallback path: first, a NUMA migration data-loss bug where the jump to the alloc_new label occurs before ks and orig_size are initialized, causing memcpy() to silently copy 0 bytes into the new allocation; second, a buffer overflow bug where memcpy() uses orig_size ?: ks (the original, larger bucket size) rather than new_size when writing into a smaller allocation - an out-of-bounds write into adjacent kernel heap memory. The identical overflow exists in the kvrealloc() fallback, where ksize(p) is used without being bounded by new_size. CWE-190 (Integer Overflow) is listed alongside the Buffer Overflow tag; the root cause is more precisely a logical sequencing error and an unbounded copy length, with CWE-190 reflecting that misuse of the unshrunk size value drives the overflow. KFENCE confirms the overflow empirically as a write 120 bytes beyond a 64-byte kmalloc-64 object.

RemediationAI

The primary fix is to upgrade the Linux kernel to a patched version: 6.18.27, 7.0.4, or 7.1-rc1 (or any later release). Upstream fix commits are available at https://git.kernel.org/stable/c/082a6d03a2d685a83a332666b500ad3966349588 (one stable branch), https://git.kernel.org/stable/c/38387ccc0fbe38d14fb4c2ad7ee1d7404e5e59fd (second branch), and https://git.kernel.org/stable/c/550fa6b5aabb096554536ac1e3ec96b76cbb35fd (third branch); these patches move old-size calculation to the top of __do_krealloc() and bound all memcpy() copy lengths by the new allocation size, and apply the same bound to kvrealloc(). Patch availability is confirmed by vendor (kernel.org stable tree). No architectural workaround can selectively disable the krealloc_node_align() code path without significant functional regression, as SLUB is the default kernel allocator used pervasively. Organizations unable to immediately upgrade should restrict untrusted local user access on shared-kernel hosts and enable KFENCE or KASAN on non-production systems to detect exploitation attempts via out-of-bounds write reports.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32286 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy