CVE-2026-45896 - Vulnerability Details

- mtd: intel-dg: Fix accessing regions before setting nregions

Description

In the Linux kernel, the following vulnerability has been resolved:

mtd: intel-dg: Fix accessing regions before setting nregions

The regions array is counted by nregions, but it's set only after
accessing it:

[] UBSAN: array-index-out-of-bounds in drivers/mtd/devices/mtd_intel_dg.c:750:15
[] index 0 is out of range for type '<unknown> [*]'

Fix it by also fixing an undesired behavior: the loop silently ignores
ENOMEM and continues setting the other entries.

Published: 2026-05-27

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The mtd_intel_dg.c driver in the Linux kernel performs an array-index-out-of-bounds access before initializing the nregions counter that tracks valid entries. The UBSAN trace points to line 750 where the index 0 is accessed without prior bounds verification. Based on the description, it is inferred that this out-of-bounds access could corrupt kernel memory, lead to a panic, or otherwise destabilize the system. The driver also silently ignores ENOMEM failures and continues to populate the array, which may further compromise state consistency and memory integrity.

Affected Systems

All Linux kernel builds that include the unpatched mtd_intel_dg.c module are affected. The CPE entry applies broadly to all kernel revisions, so any distribution shipping this driver before the fix is at risk. The issue is local to systems that expose the Intel DG MTD device to user space.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% reflects a low exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation requires local access to the Intel DG device; an attacker would need to trigger the out-of-bounds read by interacting with the device. Because the flaw resides in kernel space, a successful exploitation would affect the entire system and could enable privilege escalation if executed by a privileged or compromised process.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`ceb5ab3cb64637952657be23d347e1c79dd02212`	affected	< 721bd22bcf45a63ebd9bd0f478ef721b45cc5383
`ceb5ab3cb64637952657be23d347e1c79dd02212`	affected	< d58fca8513414b15387460b14a7a0a30405b9c9e
`ceb5ab3cb64637952657be23d347e1c79dd02212`	affected	< 779c59274d03cc5c07237a2c845dfb71cff77705

Linux

affected

Version	Status	Constraints
`6.17`	affected	—
`0`	unaffected	< 6.17
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[ceb5ab3cb64637952657be23d347e1c79dd02212,721bd22bcf45a63ebd9bd0f478ef721b45cc5383)`	affected	code_commit	—
`[ceb5ab3cb64637952657be23d347e1c79dd02212,d58fca8513414b15387460b14a7a0a30405b9c9e)`	affected	code_commit	—
`[ceb5ab3cb64637952657be23d347e1c79dd02212,779c59274d03cc5c07237a2c845dfb71cff77705)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.17`	affected	generic	—
`[0,6.17)`	unaffected	generic	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the patch fixing the array-index-out-of-bounds and ENOMEM handling (addresses CWE‑909).
If a kernel upgrade is not immediately possible, unload or disable the mtd_intel_dg kernel module to prevent execution of the vulnerable code path.
Enable kernel hardening features such as KASLR, memory protection, and strict access control to reduce the impact of any remaining kernel memory corruption vulnerabilities.

Generated by OpenCVE AI on May 28, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00198.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/721bd22bcf45a63ebd9bd0f478ef721b45cc5383
https://git.kernel.org/stable/c/779c59274d03cc5c07237a2c845dfb71cff77705
https://git.kernel.org/stable/c/d58fca8513414b15387460b14a7a0a30405b9c9e
https://lore.kernel.org/linux-cve-announce/2026052718-CVE-2026-45896-a4e9@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45896
https://www.cve.org/CVERecord?id=CVE-2026-45896

History

Thu, 28 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-129

Thu, 28 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-909
References		https://lore.kernel.org/linux-cve-announce/2026052718-CVE-2026-45896-a4e9@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45896 https://www.cve.org/CVERecord?id=CVE-2026-45896
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 27 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-129

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: mtd: intel-dg: Fix accessing regions before setting nregions The regions array is counted by nregions, but it's set only after accessing it: [] UBSAN: array-index-out-of-bounds in drivers/mtd/devices/mtd_intel_dg.c:750:15 [] index 0 is out of range for type '<unknown> [*]' Fix it by also fixing an undesired behavior: the loop silently ignores ENOMEM and continues setting the other entries.
Title		mtd: intel-dg: Fix accessing regions before setting nregions
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/721bd22bcf45a63ebd9bd0f478ef721b45cc5383 https://git.kernel.org/stable/c/779c59274d03cc5c07237a2c845dfb71cff77705 https://git.kernel.org/stable/c/d58fca8513414b15387460b14a7a0a30405b9c9e

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:06.332Z

Updated: 2026-05-27T12:17:06.332Z

Reserved: 2026-05-13T15:03:33.083Z

Link: CVE-2026-45896

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:03.860

Modified: 2026-06-17T10:52:41.417

Link: CVE-2026-45896

Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45896 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T17:30:15Z

Weaknesses

CWE-909
Missing Initialization of Resource

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object