Description
In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: validate damos_quota_goal->nid for node_mem_{used,free}_bp

Patch series "mm/damon/core: validate damos_quota_goal->nid".

node_mem[cg]_{used,free}_bp DAMOS quota goals receive the node id. The
node id is used for si_meminfo_node() and NODE_DATA() without proper
validation. As a result, privileged users can trigger an out of bounds
memory access using DAMON_SYSFS. Fix the issues.

The issue was originally reported [1] with a fix by another author. The
original author announced [2] that they will stop working including the
fix that was still in the review stage. Hence I'm restarting this.


This patch (of 2):

Users can set damos_quota_goal->nid with arbitrary value for
node_mem_{used,free}_bp. But DAMON core is using those for
si_meminfo_node() without the validation of the value. This can result in
out of bounds memory access. The issue can actually triggered using DAMON
user-space tool (damo), like below.

$ sudo ./damo start --damos_action stat \
--damos_quota_goal node_mem_used_bp 50% -1 \
--damos_quota_interval 1s
$ sudo dmesg
[...]
[ 65.565986] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098

Fix this issue by adding the validation of the given node. If an invalid
node id is given, it returns 0% for used memory ratio, and 100% for free
memory ratio.
Published: 2026-05-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the DAMON subsystem accepts an unchecked node identifier from the damos_quota_goal structure used by node_mem_{used,free}_bp quota goals. That identifier is then passed directly to si_meminfo_node() and NODE_DATA() without validation, triggering an out‑of‑bounds memory access that can culminate in a kernel crash or a NULL‑pointer dereference. The flaw is a CWE‑1285 issue.

Affected Systems

All Linux kernel releases containing the DAMON memory‑control subsystem and exposing node_mem_{used,free}_bp quota goals to privileged users are vulnerable. Distributions running a kernel version that has not incorporated the "mm/damon/core: validate damos_quota_goal->nid" patch remain exposed regardless of distribution release.

Risk and Exploitability

The flaw requires local privilege; an attacker must already have root or a trusted process to invoke DAMON tools or the sysfs interface. No public exploits have been documented, the EPSS score is unavailable, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, its out‑of‑bounds nature gives it a high impact potential for privilege escalation if the attacker can supply a malicious node id.

Generated by OpenCVE AI on May 28, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that contains the mm/damon/core: validate damos_quota_goal->nid patch or apply the patch to the kernel source before recompiling.
  • Restrict or disable access to the DAMON_SYSFS interface and the damo user‑space tool if the functionality is not required, ensuring that only trusted root users can modify node_mem_* settings.
  • Audit and harden DAMON configurations by validating node id values against the valid NUMA node range and implementing additional input checks where possible.

Generated by OpenCVE AI on May 28, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: validate damos_quota_goal->nid for node_mem_{used,free}_bp Patch series "mm/damon/core: validate damos_quota_goal->nid". node_mem[cg]_{used,free}_bp DAMOS quota goals receive the node id. The node id is used for si_meminfo_node() and NODE_DATA() without proper validation. As a result, privileged users can trigger an out of bounds memory access using DAMON_SYSFS. Fix the issues. The issue was originally reported [1] with a fix by another author. The original author announced [2] that they will stop working including the fix that was still in the review stage. Hence I'm restarting this. This patch (of 2): Users can set damos_quota_goal->nid with arbitrary value for node_mem_{used,free}_bp. But DAMON core is using those for si_meminfo_node() without the validation of the value. This can result in out of bounds memory access. The issue can actually triggered using DAMON user-space tool (damo), like below. $ sudo ./damo start --damos_action stat \ --damos_quota_goal node_mem_used_bp 50% -1 \ --damos_quota_interval 1s $ sudo dmesg [...] [ 65.565986] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098 Fix this issue by adding the validation of the given node. If an invalid node id is given, it returns 0% for used memory ratio, and 100% for free memory ratio.
Title mm/damon/core: validate damos_quota_goal->nid for node_mem_{used,free}_bp
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:48:26.041Z

Reserved: 2026-05-13T15:03:33.092Z

Link: CVE-2026-46020

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:20.460

Modified: 2026-06-16T15:55:51.620

Link: CVE-2026-46020

cve-icon Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46020 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T04:45:07Z

Weaknesses
  • CWE-125

    Out-of-bounds Read

  • CWE-1285

    Improper Validation of Specified Index, Position, or Offset in Input