Description
In the Linux kernel, the following vulnerability has been resolved:

md/raid5: validate payload size before accessing journal metadata

r5c_recovery_analyze_meta_block() and
r5l_recovery_verify_data_checksum_for_mb() iterate over payloads in a
journal metadata block using on-disk payload size fields without
validating them against the remaining space in the metadata block.

A corrupted journal contains payload sizes extending beyond the PAGE_SIZE
boundary can cause out-of-bounds reads when accessing payload fields or
computing offsets.

Add bounds validation for each payload type to ensure the full payload
fits within meta_size before processing.
Published: 2026-05-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel RAID5 code has an improper bounds check in the recovery functions that process journal metadata blocks. The payload size fields are used without verifying that the total payload fits within the remaining space of the metadata block, which can lead to out-of-bounds reads of kernel memory. Based on the description, it is inferred that an attacker could cause the kernel to read beyond the intended buffer, potentially exposing sensitive kernel data that would otherwise be protected by the operating system’s memory isolation. The weakness is a classic bounds-checking error (CWE-1284) that manifests as an out-of-bounds read rather than a write. The vulnerability does not directly provide code execution or privilege escalation, but it does increase the risk of information disclosure from kernel memory. While the developers have fixed the bug, the exposed read path remains a risk until the kernel image is updated with the patch.

Affected Systems

All Linux kernel installations that include the mpblk RAID5 code are potentially vulnerable. The vendor product list and CPE indicate the entire Linux kernel family is affected, with no version exclusions noted. Therefore any system running a kernel build that contains the RAID5 journal recovery code could be impacted.

Risk and Exploitability

The CVSS score of 7.1 marks the flaw as high severity. The EPSS score is <1%, indicating a low but non‑zero likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog, suggesting that large‑scale exploitation is not yet known. Based on the description, it is inferred that the attack would likely require a local or privileged user to create or corrupt a RAID5 journal block that the kernel processes. If an attacker can influence the journal contents, they may trigger an out‑of‑bounds read and obtain kernel memory data. The lack of public proof‑of‑concept exploits and the need for local interaction reduces the immediate threat but still warrants remediation.

Generated by OpenCVE AI on May 30, 2026 at 12:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the bounds validation patch for RAID5 journal metadata.
  • Rebuild all existing RAID5 arrays to eliminate or refresh any corrupted journal entries that might trigger the bug.
  • Limit or pause write operations to RAID5 devices until the kernel update is applied, or otherwise control access to the underlying block device to mitigate the risk of journal corruption.

Generated by OpenCVE AI on May 30, 2026 at 12:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: md/raid5: validate payload size before accessing journal metadata r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb() iterate over payloads in a journal metadata block using on-disk payload size fields without validating them against the remaining space in the metadata block. A corrupted journal contains payload sizes extending beyond the PAGE_SIZE boundary can cause out-of-bounds reads when accessing payload fields or computing offsets. Add bounds validation for each payload type to ensure the full payload fits within meta_size before processing.
Title md/raid5: validate payload size before accessing journal metadata
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:52:06.614Z

Reserved: 2026-05-13T15:03:33.095Z

Link: CVE-2026-46070

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:28.283

Modified: 2026-06-01T17:17:22.187

Link: CVE-2026-46070

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46070 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T12:45:23Z

Weaknesses
  • CWE-1284

    Improper Validation of Specified Quantity in Input