CVE-2026-46006 - Vulnerability Details

- drm/nouveau: fix u32 overflow in pushbuf reloc bounds check

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/nouveau: fix u32 overflow in pushbuf reloc bounds check

nouveau_gem_pushbuf_reloc_apply() validates each relocation with

if (r->reloc_bo_offset + 4 > nvbo->bo.base.size)

but reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer
literal 4 promotes to unsigned int, so the addition is performed in 32
bits and wraps before the comparison against the size_t bo size.

Cast to u64 so the addition happens in 64-bit arithmetic.

[ Add Fixes: tag. - Danilo ]

Published: 2026-05-27

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises in the Nouveau driver where a 32‑bit relocation offset is added to a constant and then compared against a 64‑bit buffer size. Because the addition is performed in 32‑bit arithmetic, the result can wrap around and become smaller than the actual buffer size, letting an out‑of‑bounds relocation be considered valid. This flaw can corrupt memory and the potential for arbitrary code execution is inferred due to the memory corruption. The weakness is an integer overflow with bounds‑check bypass, classified as CWE‑190.

Affected Systems

All Linux kernel releases that include the Nouveau driver before the upstream commit that casts the addition to 64‑bit arithmetic are potentially vulnerable. The advisory does not list specific kernel versions, so any unpatched kernel lacking that commit remains at risk until the patch is applied.

Risk and Exploitability

The advisory lists a CVSS score of 7.8, indicating high severity, while the EPSS score is < 1%, suggesting a low exploitation probability. CISA’s KEV catalog does not list this vulnerability. It is inferred that exploitation would likely require an attacker to control the GPU push‑buffer with crafted relocation data; such a scenario generally needs local or privileged access. The likely impact is memory corruption that could compromise integrity and availability, and in the worst case could enable arbitrary code execution. Thus far, no public exploit has been disclosed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`a1606a9596e54da90ad6209071b357a4c1b0fa82`	affected	< 573a1104bd36e49c067a9dc62e7c476d5ee7e92a
`a1606a9596e54da90ad6209071b357a4c1b0fa82`	affected	< 45a45184b9c0b0b26ead06e370cda2073616a7cc
`a1606a9596e54da90ad6209071b357a4c1b0fa82`	affected	< fa297e919d1680c38ab268ff952b1698dac987f6
`a1606a9596e54da90ad6209071b357a4c1b0fa82`	affected	< d749a9a0ee4014681487e7ae549901aa8c176637
`a1606a9596e54da90ad6209071b357a4c1b0fa82`	affected	< 332884f5eb79dd60a7162b079d09d39208567a31
`a1606a9596e54da90ad6209071b357a4c1b0fa82`	affected	< e441d5c23ec644c8d27593db3b8928e8933512a9
`a1606a9596e54da90ad6209071b357a4c1b0fa82`	affected	< 2fc87d37be1b730a149b035f9375fdb8cc5333a5

Linux

affected

Version	Status	Constraints
`2.6.34`	affected	—
`0`	unaffected	< 2.6.34
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[a1606a9596e54da90ad6209071b357a4c1b0fa82,fa297e919d1680c38ab268ff952b1698dac987f6)`	affected	code_commit	—
`[a1606a9596e54da90ad6209071b357a4c1b0fa82,d749a9a0ee4014681487e7ae549901aa8c176637)`	affected	code_commit	—
`[a1606a9596e54da90ad6209071b357a4c1b0fa82,332884f5eb79dd60a7162b079d09d39208567a31)`	affected	code_commit	—
`[a1606a9596e54da90ad6209071b357a4c1b0fa82,e441d5c23ec644c8d27593db3b8928e8933512a9)`	affected	code_commit	—
`[a1606a9596e54da90ad6209071b357a4c1b0fa82,2fc87d37be1b730a149b035f9375fdb8cc5333a5)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.34`	affected	semver	—
`[0,2.6.34)`	unaffected	semver	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.86,6.13.0)`	unaffected	semver	—
`[6.18.27,6.19.0)`	unaffected	semver	—
`[7.0.4,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that contains the 64‑bit cast fix (e.g., apply commit 2fc87d37be1b730a149b035f9375fdb8cc5333a5).
If a kernel update is not immediately possible, disable the Nouveau driver using modprobe blacklist or the kernel boot parameter "nouveau.modeset=0" and switch to an alternative DRM driver such as amdgpu or i915 to avoid the vulnerable code path.
After applying the patch or disabling the driver, monitor system logs for GPU‑related errors and verify that no unintended load attempts occur; consider enabling additional kernel mitigations such as address space randomization and security modules to reduce the impact of any remaining weaknesses.

Generated by OpenCVE AI on May 30, 2026 at 12:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00129.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2fc87d37be1b730a149b035f9375fdb8cc5333a5
https://git.kernel.org/stable/c/332884f5eb79dd60a7162b079d09d39208567a31
https://git.kernel.org/stable/c/45a45184b9c0b0b26ead06e370cda2073616a7cc
https://git.kernel.org/stable/c/573a1104bd36e49c067a9dc62e7c476d5ee7e92a
https://git.kernel.org/stable/c/d749a9a0ee4014681487e7ae549901aa8c176637
https://git.kernel.org/stable/c/e441d5c23ec644c8d27593db3b8928e8933512a9
https://git.kernel.org/stable/c/fa297e919d1680c38ab268ff952b1698dac987f6
https://lore.kernel.org/linux-cve-announce/2026052743-CVE-2026-46006-2a21@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46006
https://www.cve.org/CVERecord?id=CVE-2026-46006

History

Tue, 16 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-787

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/45a45184b9c0b0b26ead06e370cda2073616a7cc https://git.kernel.org/stable/c/573a1104bd36e49c067a9dc62e7c476d5ee7e92a

Sat, 30 May 2026 11:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 28 May 2026 04:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-119 CWE-680

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-190
References		https://lore.kernel.org/linux-cve-announce/2026052743-CVE-2026-46006-2a21@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46006 https://www.cve.org/CVERecord?id=CVE-2026-46006

Wed, 27 May 2026 22:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-680

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix u32 overflow in pushbuf reloc bounds check nouveau_gem_pushbuf_reloc_apply() validates each relocation with if (r->reloc_bo_offset + 4 > nvbo->bo.base.size) but reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer literal 4 promotes to unsigned int, so the addition is performed in 32 bits and wraps before the comparison against the size_t bo size. Cast to u64 so the addition happens in 64-bit arithmetic. [ Add Fixes: tag. - Danilo ]
Title		drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2fc87d37be1b730a149b035f9375fdb8cc5333a5 https://git.kernel.org/stable/c/332884f5eb79dd60a7162b079d09d39208567a31 https://git.kernel.org/stable/c/d749a9a0ee4014681487e7ae549901aa8c176637 https://git.kernel.org/stable/c/e441d5c23ec644c8d27593db3b8928e8933512a9 https://git.kernel.org/stable/c/fa297e919d1680c38ab268ff952b1698dac987f6

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:56:05.273Z

Updated: 2026-06-14T17:47:33.579Z

Reserved: 2026-05-13T15:03:33.092Z

Link: CVE-2026-46006

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-27T14:17:18.353

Modified: 2026-06-16T15:25:48.340

Link: CVE-2026-46006

Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46006 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-30T12:45:23Z

Weaknesses

CWE-190
Integer Overflow or Wraparound
CWE-787
Out-of-bounds Write

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object