Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-46289

Gravedad CVSS v3.1:
CRÍTICA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
08/06/2026
Última modificación:
08/07/2026

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> lib/scatterlist: fix length calculations in extract_kvec_to_sg<br /> <br /> Patch series "Fix bugs in extract_iter_to_sg()", v3.<br /> <br /> Fix bugs in the kvec and user variants of extract_iter_to_sg. This series<br /> is growing due to useful remarks made by sashiko.dev.<br /> <br /> The main bugs are:<br /> - The length for an sglist entry when extracting from<br /> a kvec can exceed the number of bytes in the page. This<br /> is obviously not intended.<br /> - When extracting a user buffer the sglist is temporarily<br /> used as a scratch buffer for extracted page pointers.<br /> If the sglist already contains some elements this scratch<br /> buffer could overlap with existing entries in the sglist.<br /> <br /> The series adds test cases to the kunit_iov_iter test that demonstrate all<br /> of these bugs. Additionally, there is a memory leak fix for the test<br /> itself.<br /> <br /> The bugs were orignally introduced into kernel v6.3 where the function<br /> lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in<br /> v6.5. Thus the actual fix is only marked for backports to v6.5+.<br /> <br /> <br /> This patch (of 5):<br /> <br /> When extracting from a kvec to a scatterlist, do not cross page<br /> boundaries. The required length was already calculated but not used as<br /> intended.<br /> <br /> Adjust the copied length if the loop runs out of sglist entries without<br /> extracting everything.<br /> <br /> While there, return immediately from extract_iter_to_sg if there are no<br /> sglist entries at all.<br /> <br /> A subsequent commit will add kunit test cases that demonstrate that the<br /> patch is necessary.

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.3 (incluyendo) 6.6.140 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (incluyendo) 6.12.88 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (incluyendo) 6.18.30 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (incluyendo) 7.0.7 (excluyendo)