Skip to main content

Linux Kernel EUVDEUVD-2026-32817

| CVE-2026-46190 HIGH
Out-of-bounds Read (CWE-125)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-v954-p6j3-5m22
7.1
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 12:03 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.1 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

Sashiko noticed an out-of-bounds read [1].

In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).

Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers (element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.

Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.

Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.

AnalysisAI

Out-of-bounds read in the Linux kernel's SPI-NOR flash debugfs interface (spi_nor_params_show) allows local authenticated users with debugfs access to trigger memory disclosure or denial of service on 64-bit systems. The flaw stems from sizeof() being used on a pointer array instead of ARRAY_SIZE(), inflating the bounds-check length by 8x. No public exploit identified at time of analysis and EPSS rates exploitation likelihood at 0.02%.

Technical ContextAI

The vulnerability resides in drivers/mtd/spi-nor/debugfs.c, which exposes runtime parameters of SPI-NOR (Serial Peripheral Interface NOR) flash devices via the kernel debugfs filesystem. The function spi_nor_params_show() iterates the snor_f_names array of string pointers describing flash capability flags. Because sizeof(snor_f_names) returns the byte size of the pointer array (element_count * 8 on 64-bit) rather than the element count, the helper spi_nor_print_flags() received an inflated bound and could index beyond the array when a flag bit higher than the true element count was set. This is a classic CWE-125 (Out-of-bounds Read) caused by misuse of sizeof() on a pointer array, fixed by switching to the ARRAY_SIZE() macro.

RemediationAI

Vendor-released patch: upgrade to Linux 7.1-rc2 or one of the stable backports 7.0.7, 6.18.30, 6.12.88, or 6.6.140, or apply the upstream fix commits listed at git.kernel.org/stable/c/34bdcfb4..., c0b654bc..., ca18c180..., e47029b9..., and 9a80c458.... If patching is not immediately possible, the most effective compensating control is to disable or restrict access to debugfs by not mounting /sys/kernel/debug at boot or remounting it with mode=0700 so only root can read SPI-NOR parameter files - the trade-off is loss of in-kernel debug observability for developers. On systems that do not require SPI-NOR flash, building the kernel without CONFIG_MTD_SPI_NOR or without CONFIG_DEBUG_FS eliminates the affected code path entirely at the cost of losing those subsystems.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32817 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy