CVE-2026-45990
Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-190
Desbordamiento o ajuste de enteros
Fecha de publicación:
27/05/2026
Última modificación:
16/06/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
slub: fix data loss and overflow in krealloc()<br />
<br />
Commit 2cd8231796b5 ("mm/slub: allow to set node and align in<br />
k[v]realloc") introduced the ability to force a reallocation if the<br />
original object does not satisfy new alignment or NUMA node, even when<br />
the object is being shrunk.<br />
<br />
This introduced two bugs in the reallocation fallback path:<br />
<br />
1. Data loss during NUMA migration: The jump to &#39;alloc_new&#39; happens<br />
before &#39;ks&#39; and &#39;orig_size&#39; are initialized. As a result, the<br />
memcpy() in the &#39;alloc_new&#39; block would copy 0 bytes into the new<br />
allocation.<br />
<br />
2. Buffer overflow during shrinking: When shrinking an object while<br />
forcing a new alignment, &#39;new_size&#39; is smaller than the old size.<br />
However, the memcpy() used the old size (&#39;orig_size ?: ks&#39;), leading<br />
to an out-of-bounds write.<br />
<br />
The same overflow bug exists in the kvrealloc() fallback path, where the<br />
old bucket size ksize(p) is copied into the new buffer without being<br />
bounded by the new size.<br />
<br />
A simple reproducer:<br />
<br />
// e.g. add to lkdtm as KREALLOC_SHRINK_OVERFLOW<br />
while (1) {<br />
void *p = kmalloc(128, GFP_KERNEL);<br />
p = krealloc_node_align(p, 64, 256, GFP_KERNEL, NUMA_NO_NODE);<br />
kfree(p);<br />
}<br />
<br />
demonstrates the issue:<br />
<br />
==================================================================<br />
BUG: KFENCE: out-of-bounds write in memcpy_orig+0x68/0x130<br />
<br />
Out-of-bounds write at 0xffff8883ad757038 (120B right of kfence-#47):<br />
memcpy_orig+0x68/0x130<br />
krealloc_node_align_noprof+0x1c8/0x340<br />
lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm]<br />
lkdtm_do_action+0x3a/0x60 [lkdtm]<br />
...<br />
<br />
kfence-#47: 0xffff8883ad756fc0-0xffff8883ad756fff, size=64, cache=kmalloc-64<br />
<br />
allocated by task 316 on cpu 7 at 97.680481s (0.021813s ago):<br />
krealloc_node_align_noprof+0x19c/0x340<br />
lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm]<br />
lkdtm_do_action+0x3a/0x60 [lkdtm]<br />
...<br />
==================================================================<br />
<br />
Fix it by moving the old size calculation to the top of __do_krealloc()<br />
and bounding all copy lengths by the new allocation size.
Impacto
Puntuación base 3.x
5.50
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.18 (incluyendo) | 6.18.27 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 7.0.4 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página



