CVE-2026-46294
Severity CVSS v4.0:
Pending analysis
Type:
CWE-787
Out-of-bounds Write
Publication date:
08/06/2026
Last modified:
08/07/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
dm: fix a buffer overflow in ioctl processing<br />
<br />
Tony Asleson (using Claude) found a buffer overflow in dm-ioctl in the<br />
function retrieve_status:<br />
<br />
1. The code in retrieve_status checks that the output string fits into<br />
the output buffer and writes the output string there<br />
2. Then, the code aligns the "outptr" variable to the next 8-byte<br />
boundary:<br />
outptr = align_ptr(outptr);<br />
3. The alignment doesn&#39;t check overflow, so outptr could point past the<br />
buffer end<br />
4. The "for" loop is iterated again, it executes:<br />
remaining = len - (outptr - outbuf);<br />
5. If "outptr" points past "outbuf + len", the arithmetics wraps around<br />
and the variable "remaining" contains unusually high number<br />
6. With "remaining" being high, the code writes more data past the end of<br />
the buffer<br />
<br />
Luckily, this bug has no security implications because:<br />
1. Only root can issue device mapper ioctls<br />
2. The commonly used libraries that communicate with device mapper<br />
(libdevmapper and devicemapper-rs) use buffer size that is aligned to<br />
8 bytes - thus, "outptr = align_ptr(outptr)" can&#39;t overshoot the input<br />
buffer and the bug can&#39;t happen accidentally
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.12.1 (including) | 5.10.258 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.209 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.175 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.140 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.88 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.30 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 7.0.7 (excluding) |
| cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/2fa49cc884f6496a915c35621ba4da35649bf159
- https://git.kernel.org/stable/c/448ee8fb79c26a26599ffa4b2adeb4322d3d3d8c
- https://git.kernel.org/stable/c/526ff9126a0ae087b65726e1faf31114c718020d
- https://git.kernel.org/stable/c/5af6a879e915ae7bcd83695c316ebb32e1c61bc2
- https://git.kernel.org/stable/c/8daa6c708ef524089ae43f2aed9190acb26d7df8
- https://git.kernel.org/stable/c/c8c5311237448f6ffeecc9aec2362e3692623668
- https://git.kernel.org/stable/c/d271631023cbe1cbe7c31a0275ab797883be6e0a
- https://git.kernel.org/stable/c/f0b0b09d9840838ae77ccdd6a62de0daef4e6e0a



