Description
In the Linux kernel, the following vulnerability has been resolved:

md/raid5: validate payload size before accessing journal metadata

r5c_recovery_analyze_meta_block() and
r5l_recovery_verify_data_checksum_for_mb() iterate over payloads in a
journal metadata block using on-disk payload size fields without
validating them against the remaining space in the metadata block.

A corrupted journal contains payload sizes extending beyond the PAGE_SIZE
boundary can cause out-of-bounds reads when accessing payload fields or
computing offsets.

Add bounds validation for each payload type to ensure the full payload
fits within meta_size before processing.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A corrupted RAID5 journal can contain payload sizes that exceed the amount of metadata space available, leading to out-of-bounds reads when the kernel processes journal blocks. This vulnerability is an improper bounds check that allows kernel memory to be read beyond the intended buffer, which can expose sensitive information or cause a system crash. The weakness is a classic out-of-bounds reading flaw, often classified as a memory safety violation.

Affected Systems

All Linux kernel installations are potentially affected, as the CPE indicates the entire Linux kernel product is impacted. No specific version exclusions are listed, implying that any kernel build containing the mpblk RAID5 code is vulnerable.

Risk and Exploitability

The risk is elevated in environments where an attacker can influence or corrupt the RAID5 journal, such as by writing to a block device that the kernel keeps in memory. While no proof‑of‑concept exploit is publicly documented, the nature of the bug means that a local or privileged attacker could read kernel addresses to facilitate further compromise. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that active exploitation is not yet common. Nonetheless, the presence of this bug warrants prompt mitigation due to the potential for information disclosure and system instability.

Generated by OpenCVE AI on May 27, 2026 at 18:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel version that includes the bounds validation for RAID5 journal metadata.
  • If the kernel cannot be updated immediately, rebuild affected RAID5 arrays to eliminate corrupted journal entries and reduce the risk surface.
  • Consider disabling or limiting write activity on RAID5 devices until an update is applied, to prevent further corruption.

Generated by OpenCVE AI on May 27, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: md/raid5: validate payload size before accessing journal metadata r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb() iterate over payloads in a journal metadata block using on-disk payload size fields without validating them against the remaining space in the metadata block. A corrupted journal contains payload sizes extending beyond the PAGE_SIZE boundary can cause out-of-bounds reads when accessing payload fields or computing offsets. Add bounds validation for each payload type to ensure the full payload fits within meta_size before processing.
Title md/raid5: validate payload size before accessing journal metadata
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:57:54.345Z

Reserved: 2026-05-13T15:03:33.095Z

Link: CVE-2026-46070

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:28.283

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46070

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T18:15:21Z

Weaknesses

No weakness.