Skip to main content

Linux Kernel EUVDEUVD-2026-32889

| CVE-2026-46130 HIGH
Out-of-bounds Read (CWE-125)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-6hvc-rwfc-mp4j
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
6.3 MEDIUM

Local FEC code path needs some privilege (PR:L) and a rare non-default-roots plus low-memory coincidence (AC:H); OOB read leaks kernel memory (C:H) or crashes (A:H), no integrity impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 20:22 vuln.today
CVSS changed
Jun 24, 2026 - 18:07 NVD
7.1 (HIGH)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.1
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

dm-verity-fec: fix reading parity bytes split across blocks (take 3)

fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks.

This assumption is false. Consider v->fec->block_size 4096 && v->fec->roots 17 && fio->nbufs == 1, for example. In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.

Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed. On the 16th call (i=15), the alignment will be 4080 bytes into the first block. Only 16 bytes remain in that block, but 17 parity bytes will be needed. The code reads out-of-bounds from the parity block buffer.

Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory. For example with block_size=4096 only the following cases are affected:

fec_roots=17: nbufs in [1, 3, 5, 15] fec_roots=19: nbufs in [1, 229] fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195] fec_roots=23: nbufs in [1, 89]

Regardless, fix it by refactoring how the parity blocks are read.

AnalysisAI

Out-of-bounds read in the Linux kernel's dm-verity-fec (forward error correction) subsystem allows kernel memory disclosure or a crash when decoding Reed-Solomon parity data. The flaw affects the device-mapper verity FEC code where fec_decode_bufs() wrongly assumes parity bytes of the first RS codeword never span a parity-block boundary; with certain non-default fec_roots values combined with low-memory buffer-allocation failures, the decoder reads past the end of the parity block buffer. Tracked as CWE-125, it carries a 7.1 CVSS (local, low complexity per NVD) but a negligible EPSS of 0.02%, and there is no public exploit identified at time of analysis.

Technical ContextAI

dm-verity is the Linux device-mapper target that provides transparent integrity verification of read-only block devices (used by Android Verified Boot, ChromeOS, and immutable Linux images). Its optional FEC layer uses Reed-Solomon error correction to recover from media corruption, where each data block is protected by a number of parity 'roots' (fec_roots) stored in dedicated parity blocks. The bug, identified by the CPE cpe:2.3:o:linux:linux_kernel, lives in fec_decode_bufs(): it consumes v->fec->roots * (nbufs << DM_VERITY_FEC_BUF_RS_BITS) parity bytes per call, but because parity for each message block begins on a block boundary, the running byte offset (272*i mod 4096 in the worked example) eventually lands near the end of a block - e.g. at offset 4080 with only 16 bytes left when 17 are needed - causing a read beyond the buffer. This is a classic CWE-125 out-of-bounds read rooted in an incorrect alignment/boundary assumption rather than missing bounds validation.

RemediationAI

Patch available per vendor advisory: apply the upstream stable fixes referenced by commits 3d1b4e2d8ac0a1a1390a117f61ce0ca1c47e3bcb and 430a05cb926f6bdf53e81460a2c3a553257f3f61 (https://git.kernel.org/stable/c/3d1b4e2d8ac0a1a1390a117f61ce0ca1c47e3bcb and https://git.kernel.org/stable/c/430a05cb926f6bdf53e81460a2c3a553257f3f61), which land in 6.13 and the corresponding 6.1.y/6.6.y/6.12.y stable updates - upgrade to your distribution's patched kernel for those branches. If immediate patching is not possible, the practical compensating control is to avoid the trigger condition: use the default fec_roots value rather than the affected non-default values (17, 19, 21, 23) when creating dm-verity FEC devices, since the bug only manifests with those roots counts plus constrained buffer allocation; the trade-off is reduced error-correction strength if you were intentionally raising roots. Reducing memory pressure on affected hosts also lowers the chance of the small-nbufs allocation path that exposes the read. There is no network-facing exposure to block, so endpoint kernel patching is the durable fix.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-32889 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy