Description
In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp

Users can set damos_quota_goal->nid with arbitrary value for
node_memcg_{used,free}_bp. But DAMON core is using those for NODE-DATA()
without a validation of the value. This can result in out of bounds
memory access. The issue can actually triggered using DAMON user-space
tool (damo), like below.

$ sudo mkdir /sys/fs/cgroup/foo
$ sudo ./damo start --damos_action stat --damos_quota_interval 1s \
--damos_quota_goal node_memcg_used_bp 50% -1 /foo
$ sudo dmseg
[...]
[ 524.181426] Unable to handle kernel paging request at virtual address 0000000000002c00

Fix this issue by adding the validation of the given node id. If an
invalid node id is given, it returns 0% for used memory ratio, and 100%
for free memory ratio.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Linux kernel’s DAMON subsystem allows an attacker to supply an arbitrary node identifier to the damos_quota_goal parameter. The kernel code does not validate this identifier before using it in the node_memcg_used_bp and node_memcg_free_bp calculations, which can provoke an out-of-bounds memory access that crashes the kernel. The resulting kernel panic can be triggered using the DAMON user‑space tool, leading to denial of service.

Affected Systems

All Linux kernel versions that contain the DAMON subsystem and lack the patch that validates damos_quota_goal->nid. The vulnerability applies to standard Linux distributions that ship the kernel without the fix, regardless of vendor.

Risk and Exploitability

Because no EPSS score is available and the vulnerability is not listed in CISA KEV, precise exploitation likelihood is unknown; however, the high impact of a kernel crash and the ability to trigger it via the user‑space DAMON tool lower the threshold for attackers. The exploitation path requires attacker control over the DAMON tool or the ability to set the damos_quota_goal, which can be achieved in environments where the tool is run with elevated privileges. The lack of a public CVSS score means the severity is not quantified, but the described out-of-bounds access warrants urgent attention.

Generated by OpenCVE AI on May 28, 2026 at 03:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to the latest release in which the DAMON node‑id validation fix has been applied
  • If an immediate kernel update is not feasible, disable or remove the DAMON user‑space tool and refrain from configuring damos_quota_goal with arbitrary node IDs
  • Monitor system logs for kernel panic events and enforce strict access controls on the DAMON tool to prevent unauthorized executions

Generated by OpenCVE AI on May 28, 2026 at 03:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References

Wed, 27 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp Users can set damos_quota_goal->nid with arbitrary value for node_memcg_{used,free}_bp. But DAMON core is using those for NODE-DATA() without a validation of the value. This can result in out of bounds memory access. The issue can actually triggered using DAMON user-space tool (damo), like below. $ sudo mkdir /sys/fs/cgroup/foo $ sudo ./damo start --damos_action stat --damos_quota_interval 1s \ --damos_quota_goal node_memcg_used_bp 50% -1 /foo $ sudo dmseg [...] [ 524.181426] Unable to handle kernel paging request at virtual address 0000000000002c00 Fix this issue by adding the validation of the given node id. If an invalid node id is given, it returns 0% for used memory ratio, and 100% for free memory ratio.
Title mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:57:45.648Z

Reserved: 2026-05-13T15:03:33.095Z

Link: CVE-2026-46067

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:27.643

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46067

cve-icon Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46067 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:45:06Z

Weaknesses