Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local sysfs write access required (AV:L, PR:L); non-power-of-two value triggers kernel crash with no confidentiality or integrity impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/core: disallow non-power of two min_region_sz on damon_start()
Commit d8f867fa0825 ("mm/damon: add damon_ctx->min_sz_region") introduced a bug that allows unaligned DAMON region address ranges. Commit c80f46ac228b ("mm/damon/core: disallow non-power of two min_region_sz") fixed it, but only for damon_commit_ctx() use case. Still, DAMON sysfs interface can emit non-power of two min_region_sz via damon_start(). Fix the path by adding the is_power_of_2() check on damon_start().
The issue was discovered by sashiko [1].
AnalysisAI
Denial-of-service in the Linux kernel's DAMON (Data Access MONitor) subsystem allows a local low-privileged user to crash the kernel by supplying a non-power-of-two min_region_sz value through the DAMON sysfs interface and invoking damon_start(). The flaw is an incomplete remediation: commit c80f46ac228b fixed the same class of bug for the damon_commit_ctx() code path but left damon_start() - reachable via DAMON sysfs - without the is_power_of_2() guard. No public exploit exists and EPSS sits at 0.02% (4th percentile), indicating negligible real-world exploitation probability; no CISA KEV listing has been issued.
Technical ContextAI
DAMON is a Linux kernel memory subsystem (mm/damon/) that monitors data access patterns and feeds memory management policies. The root cause is CWE-1284 (Improper Validation of Specified Quantity in Input): the min_sz_region field added by commit d8f867fa0825 requires power-of-two alignment to ensure DAMON region boundaries stay aligned with kernel page granularity. The is_power_of_2() validation was added to damon_commit_ctx() by commit c80f46ac228b but was not applied to damon_start(), which is the code path invoked when a user writes to the DAMON sysfs interface under /sys/kernel/mm/damon/. Providing a non-power-of-two value causes unaligned region address arithmetic inside the kernel, which can produce memory corruption or a kernel panic. Affected CPE: cpe:2.3:a:linux:linux across the 6.18.x and 7.0.x stable series and development builds up to 7.1-rc1.
RemediationAI
The primary fix is to upgrade the Linux kernel to a patched version: 6.18.30 or later for the 6.18 stable series, 7.0.4 or later for the 7.0.x series, or any mainline build at 7.1-rc1 or later. Upstream fix commits are published at https://git.kernel.org/stable/c/95093e5cb4c5b50a5b1a4b79f2942b62744bd66a (6.18 branch), https://git.kernel.org/stable/c/89b6226b6c2a4add3939f361653a47c212d6ab75 (7.0 branch), and https://git.kernel.org/stable/c/1de2db19a6028abe7d905875922faef5b873de67 (mainline). Ubuntu users should apply the kernel packages referenced in USN-8489-1 (https://ubuntu.com/security/notices/USN-8489-1) and USN-8488-1 (https://ubuntu.com/security/notices/USN-8488-1). As a compensating control pending patching, administrators can restrict write access to the DAMON sysfs hierarchy at /sys/kernel/mm/damon/ using filesystem permissions or a MAC policy (e.g., SELinux/AppArmor), preventing low-privileged users from writing arbitrary values - note this disables user-space DAMON configuration for non-root users. Alternatively, if DAMON is unused, rebuilding the kernel with CONFIG_DAMON_SYSFS=n removes the vulnerable interface entirely.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35434
GHSA-q36j-3hm6-hh2w