CVE-2026-46289
Gravedad CVSS v3.1:
CRÍTICA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
08/06/2026
Última modificación:
08/07/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
lib/scatterlist: fix length calculations in extract_kvec_to_sg<br />
<br />
Patch series "Fix bugs in extract_iter_to_sg()", v3.<br />
<br />
Fix bugs in the kvec and user variants of extract_iter_to_sg. This series<br />
is growing due to useful remarks made by sashiko.dev.<br />
<br />
The main bugs are:<br />
- The length for an sglist entry when extracting from<br />
a kvec can exceed the number of bytes in the page. This<br />
is obviously not intended.<br />
- When extracting a user buffer the sglist is temporarily<br />
used as a scratch buffer for extracted page pointers.<br />
If the sglist already contains some elements this scratch<br />
buffer could overlap with existing entries in the sglist.<br />
<br />
The series adds test cases to the kunit_iov_iter test that demonstrate all<br />
of these bugs. Additionally, there is a memory leak fix for the test<br />
itself.<br />
<br />
The bugs were orignally introduced into kernel v6.3 where the function<br />
lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in<br />
v6.5. Thus the actual fix is only marked for backports to v6.5+.<br />
<br />
<br />
This patch (of 5):<br />
<br />
When extracting from a kvec to a scatterlist, do not cross page<br />
boundaries. The required length was already calculated but not used as<br />
intended.<br />
<br />
Adjust the copied length if the loop runs out of sglist entries without<br />
extracting everything.<br />
<br />
While there, return immediately from extract_iter_to_sg if there are no<br />
sglist entries at all.<br />
<br />
A subsequent commit will add kunit test cases that demonstrate that the<br />
patch is necessary.
Impacto
Puntuación base 3.x
9.80
Gravedad 3.x
CRÍTICA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.3 (incluyendo) | 6.6.140 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (incluyendo) | 6.12.88 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.30 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 7.0.7 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/07b7d66e65d9cfe6b9c2c34aa22cfcaac37a5c45
- https://git.kernel.org/stable/c/3f17500e86d730c76db638bb3ae52f9b5e496c76
- https://git.kernel.org/stable/c/8fbba6829057979149d1b37d65690c037f3ddf4d
- https://git.kernel.org/stable/c/9d38756d0a93b66163554219fa9c3365f40c4035
- https://git.kernel.org/stable/c/e5e22fc9963469e678c4f4bb38d26adcec107f1e



