Skip to main content

Linux Kernel EUVDEUVD-2026-32452

| CVE-2026-46070 HIGH
Out-of-bounds Write (CWE-787)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-76hh-2v3c-vm3v
7.1
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
5.3 MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:43 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.1 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

md/raid5: validate payload size before accessing journal metadata

r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb() iterate over payloads in a journal metadata block using on-disk payload size fields without validating them against the remaining space in the metadata block.

A corrupted journal contains payload sizes extending beyond the PAGE_SIZE boundary can cause out-of-bounds reads when accessing payload fields or computing offsets.

Add bounds validation for each payload type to ensure the full payload fits within meta_size before processing.

AnalysisAI

Out-of-bounds read in the Linux kernel md/raid5 journal recovery path allows a local privileged user supplying a corrupted MD RAID5 journal device to trigger memory disclosure or kernel crashes during journal replay. The flaw exists in r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb(), which trusted on-disk payload size fields without validating them against the metadata block's remaining space. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02% (5th percentile).

Technical ContextAI

The vulnerable code lives in the md (multiple device) RAID5 subsystem, specifically the write-back cache/journal recovery routines in drivers/md/raid5-cache.c. When an md/raid5 array with an attached journal device is assembled, the kernel walks each journal metadata block and iterates over variable-length payload descriptors (data, parity, flush) to replay or verify in-flight writes. The iteration used on-disk size fields directly to advance the cursor, which is a classic out-of-bounds read pattern (CWE-125) caused by missing input validation (CWE-20) of length-tagged structures on persistent storage. The fix adds explicit bounds checks ensuring each payload - header plus data - fits within meta_size before any field is dereferenced. CPE data was not provided, but the EUVD-listed fix lines (6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1) plus the commit range starting at b4c625c67362 (introducing the raid5 journal cache in v4.10) indicate the bug has existed since journal/write-back cache was introduced in kernel 4.10.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 (or any later stable release containing the bounds-check commits) from https://git.kernel.org/stable/c/406aa86394ead347c47428fb51b6359bdaa2257d and the other listed stable trees, then reboot. If immediate patching is not possible, the most effective compensating control is to stop using an md RAID5 journal/write-back cache device on untrusted storage - either remove the journal from the array (mdadm --grow --remove-journal) or ensure the journal device is hosted on storage no untrusted user can write to, since the OOB read is only reachable when journal contents can be attacker-influenced; this trade-off costs the write-hole protection that the journal provides. Additionally, restrict CAP_SYS_ADMIN and raw block-device access (loop devices, /dev/sd*, container --device passthrough) to trusted users, which limits who can attach a malicious journal device in the first place.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32452 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy