Description
In the Linux kernel, the following vulnerability has been resolved:

dm mirror: fix integer overflow in create_dirty_log()

The argument count calculation in create_dirty_log() performs
`*args_used = 2 + param_count` before validating against argc. When a
user provides a param_count close to UINT_MAX via the device mapper
table string, this unsigned addition wraps around to a small value,
causing the subsequent `argc < *args_used` check to be bypassed.

The overflowed param_count is then passed as argc to dm_dirty_log_create(),
where it can cause out-of-bounds reads on the argv array.

Fix by comparing param_count against argc - 2 before performing the
addition, following the same pattern used by parse_features() in the
same file. Since argc >= 2 is already guaranteed, the subtraction is
safe.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an integer overflow in dm mirror’s create_dirty_log() routine. The function calculates a required argument count as 2 + param_count before checking it against the supplied argc. When a user supplies a param_count close to UINT_MAX via a device‑mapper table string, the unsigned addition overflows to a small value, causing the subsequent bounds check to be bypassed. This overflowed value is then passed to dm_dirty_log_create(), which can read beyond the bounds of the argv array. The out‑of‑bounds read may lead to memory disclosure or a kernel crash, representing a denial‑of‑service condition. This flaw maps to CWE‑190, Integer Overflow.

Affected Systems

All unsupported or pre‑fix Linux kernel builds that include the dm mirror module are affected. The impact applies to any distribution using the default kernel prior to the commit that introduced the fix; specific version numbers are not listed in the advisory but contain the vulnerable code.

Risk and Exploitability

Exploitation requires the ability to create or modify a device‑mapper table, normally a privileged or root user. The likely attack vector is a malicious device‑mapper table entry created by a privileged user, as inferred from the description that param_count can be supplied via the device‑mapper table string. No public exploit is documented, EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the overflow can be triggered with a crafted table entry, resulting in a potential kernel panic or arbitrary read. The CVSS score is 7.0, indicating high severity. Monitoring for unusual device‑mapper activity and applying the patch are recommended to mitigate risk.

Generated by OpenCVE AI on May 28, 2026 at 04:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a release that includes the fix from commit 17a08791d428885d00e510864283a7b839792368.
  • Reboot the system to load the updated kernel.
  • Restrict device‑mapper configuration privileges to trusted users; remove any existing tables that supply a param_count near 32767 or INT_MAX.

Generated by OpenCVE AI on May 28, 2026 at 04:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Thu, 28 May 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-680

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-680

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: dm mirror: fix integer overflow in create_dirty_log() The argument count calculation in create_dirty_log() performs `*args_used = 2 + param_count` before validating against argc. When a user provides a param_count close to UINT_MAX via the device mapper table string, this unsigned addition wraps around to a small value, causing the subsequent `argc < *args_used` check to be bypassed. The overflowed param_count is then passed as argc to dm_dirty_log_create(), where it can cause out-of-bounds reads on the argv array. Fix by comparing param_count against argc - 2 before performing the addition, following the same pattern used by parse_features() in the same file. Since argc >= 2 is already guaranteed, the subtraction is safe.
Title dm mirror: fix integer overflow in create_dirty_log()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:48:40.907Z

Reserved: 2026-05-13T15:03:33.092Z

Link: CVE-2026-46023

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:20.783

Modified: 2026-06-16T15:55:23.260

Link: CVE-2026-46023

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46023 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T04:45:07Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound