Skip to main content

Linux Kernel EUVDEUVD-2026-32449

| CVE-2026-46067 HIGH
Out-of-bounds Read (CWE-125)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-xp2w-qr8j-r6p4
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
7.1 HIGH

Local-only OOB read via DAMON sysfs needing privileges to write quota goals (PR:L, AV:L); yields kernel memory disclosure (C:H) and crash (A:H) with no integrity impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 24, 2026 - 19:16 vuln.today
CVSS changed
Jun 24, 2026 - 17:07 NVD
7.1 (HIGH)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.1
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp

Users can set damos_quota_goal->nid with arbitrary value for node_memcg_{used,free}_bp. But DAMON core is using those for NODE-DATA() without a validation of the value. This can result in out of bounds memory access. The issue can actually triggered using DAMON user-space tool (damo), like below.

$ sudo mkdir /sys/fs/cgroup/foo $ sudo ./damo start --damos_action stat --damos_quota_interval 1s \ --damos_quota_goal node_memcg_used_bp 50% -1 /foo $ sudo dmseg [...] [ 524.181426] Unable to handle kernel paging request at virtual address 0000000000002c00

Fix this issue by adding the validation of the given node id. If an invalid node id is given, it returns 0% for used memory ratio, and 100% for free memory ratio.

AnalysisAI

Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows a local user with access to the DAMON sysfs interface to read out-of-bounds kernel memory or crash the system. The flaw exists because mm/damon/core failed to validate the user-supplied node ID (damos_quota_goal->nid) before using it in NODE_DATA() for the node_memcg_used_bp and node_memcg_free_bp quota goal metrics. The kernel description includes a working reproduction using the user-space 'damo' tool, but no public weaponized exploit and no active exploitation (CISA KEV) have been reported; EPSS is negligible at 0.02%.

Technical ContextAI

DAMON is the Linux kernel's data access monitoring framework, used for memory management tuning and proactive reclamation. DAMOS (DAMON-based Operation Schemes) supports quota goals that can target per-node, per-memcg memory ratios via the node_memcg_used_bp and node_memcg_free_bp metrics, where 'bp' denotes basis points. To compute these ratios the core code passes the caller-supplied node ID into NODE_DATA(nid) to obtain the pglist_data structure for that NUMA node. Because the nid was accepted from user space (via the DAMON sysfs interface) without bounds checking against the valid online node range, an arbitrary or negative value (e.g. -1) indexes outside the node_data array, producing an out-of-bounds read - matching CWE-125 (Out-of-bounds Read). The fix validates the node ID and, for invalid IDs, returns 0% for used-memory ratio and 100% for free-memory ratio instead of dereferencing invalid node data. CPE coverage is the generic cpe:2.3:o:linux:linux_kernel, indicating the upstream mainline kernel rather than a specific distribution build.

RemediationAI

Upgrade to a patched kernel: per the EUVD data the fix is in mainline 7.1-rc1 and the stable 7.0.4 release, applied via commits a34dac6482e53e2c76944f25b1489b9b7da3a6e6 and da10db73ada26345244ea5dc52f974692bd05f66 (https://git.kernel.org/stable/c/a34dac6482e53e2c76944f25b1489b9b7da3a6e6 and https://git.kernel.org/stable/c/da10db73ada26345244ea5dc52f974692bd05f66); distribution users should apply the corresponding vendor backport once available. As an interim compensating control, restrict access to the DAMON sysfs interface (/sys/kernel/mm/damon) to trusted administrators only and avoid delegating DAMON configuration to non-root users or containers, since exploitation requires writing a quota goal with the node_memcg_used_bp/node_memcg_free_bp metric - the trade-off is loss of DAMON-based tuning for unprivileged workflows. Where DAMON is not needed, building the kernel without CONFIG_DAMON (or not loading/using the DAMOS quota-goal feature) removes the attack surface entirely at the cost of the monitoring/reclaim functionality.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32449 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy