Skip to main content

Linux Kernel EUVDEUVD-2026-35155

| CVE-2026-46289 CRITICAL
Memory Leak (CWE-401)
2026-06-08 Linux GHSA-qp34-4r23-mcwx
Critical
Disputed · 9.8 Vendor: Linux
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (Linux) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.8 MEDIUM

Reachable only via in-kernel kvec consumers from a local context (AV:L, PR:L), requires a buffer that straddles a page boundary in a specific subsystem (AC:H); most realistic impact is kernel crash with limited memory disclosure/corruption.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:26 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
9.8 (CRITICAL)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:46 cve.org
CRITICAL 9.8
CVE Published
Jun 08, 2026 - 15:46 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

lib/scatterlist: fix length calculations in extract_kvec_to_sg

Patch series "Fix bugs in extract_iter_to_sg()", v3.

Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev.

The main bugs are:

  • The length for an sglist entry when extracting from

a kvec can exceed the number of bytes in the page. This is obviously not intended.

  • When extracting a user buffer the sglist is temporarily

used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist.

The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself.

The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+.

This patch (of 5):

When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended.

Adjust the copied length if the loop runs out of sglist entries without extracting everything.

While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.

A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.

AnalysisAI

Incorrect length calculation in the Linux kernel's lib/scatterlist extract_kvec_to_sg helper can produce scatterlist entries that cross page boundaries, leading to memory corruption or out-of-bounds access in kernel code paths that build scatterlists from kvecs (originally introduced in v6.3, moved to lib/scatterlist.c in v6.5). The flaw is patched upstream across the 6.6, 6.12, 6.18 and 7.0/7.1 stable trees, with no public exploit identified at time of analysis and a very low EPSS probability of 0.02%.

Technical ContextAI

The affected code is extract_iter_to_sg() / extract_kvec_to_sg() in lib/scatterlist.c (previously fs/netfs/iterator.c). These helpers convert an iov_iter of type ITER_KVEC into a struct scatterlist used by block, networking, crypto, and netfs subsystems for DMA-style page lists. The bug is that the per-entry length was computed but the code did not actually clamp the sg entry to the remaining bytes within the current page, so a single sg entry could describe a region spanning a page boundary. A sibling defect in the user-buffer variant lets the temporary scratch use of the sglist overlap pre-existing entries. Although NVD lists no CWE, this is functionally an incorrect length/bounds calculation (CWE-682/CWE-131 class) that can manifest as out-of-bounds read/write when downstream code DMAs or copies based on the corrupted sg entry.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc1 (or later) on the corresponding stable branch, pulling the relevant commits 3f17500e86d7, 07b7d66e65d9, 8fbba6829057, 9d38756d0a93, e5e22fc99634 from https://git.kernel.org/stable/. On distributions, install the next vendor kernel package containing these backports and reboot; no kernel module reload is sufficient since lib/scatterlist is built-in. There is no realistic runtime workaround because the buggy helper is core infrastructure used by netfs, block, crypto and socket paths; if patching must be delayed, the only meaningful compensating control is to reduce exposure to workloads that heavily exercise kvec-based scatterlist construction (e.g., disable or restrict netfs-backed filesystems such as cifs/ksmbd/nfs/ceph on multi-tenant hosts), accepting the loss of those features until the kernel is updated.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-35155 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy