Description
In the Linux kernel, the following vulnerability has been resolved:

block: add pgmap check to biovec_phys_mergeable

biovec_phys_mergeable() is used by the request merge, DMA mapping,
and integrity merge paths to decide if two physically contiguous
bvec segments can be coalesced into one. It currently has no check
for whether the segments belong to different dev_pagemaps.

When zone device memory is registered in multiple chunks, each chunk
gets its own dev_pagemap. A single bio can legitimately contain
bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at
pgmap boundaries but the outer loop in bio_iov_iter_get_pages()
continues filling the same bio. If such bvecs are physically
contiguous, biovec_phys_mergeable() will coalesce them, making it
impossible to recover the correct pgmap for the merged segment
via page_pgmap().

Add a zone_device_pages_have_same_pgmap() check to prevent merging
bvec segments that span different pgmaps.
Published: 2026-05-28
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the Linux kernel function biovec_phys_mergeable(), which is used for merging contiguous bvec segments during request merge, DMA mapping, and integrity merge paths. It does not verify if the segments belong to the same dev_pagemap. If a single bio contains bvecs from different pagemaps that happen to be physically contiguous, the function will merge them, resulting in a merged segment whose underlying pgmap cannot be recovered accurately via page_pgmap(). This logical oversight can lead to memory corruption or leakage of data that should be protected by the original pagemap boundaries.

Affected Systems

Affected systems include all Linux kernel versions prior to the patch that adds the pgmap boundary check. The vulnerability arises when zone device memory is registered in multiple chunks, each creating a distinct dev_pagemap. Any Linux system that uses such zone device memory is susceptible, regardless of distribution.

Risk and Exploitability

The risk profile is significant because the flaw resides in kernel core memory handling. While the EPSS score is not available and the vulnerability is not currently listed in CISA KEV, the lack of these metrics does not mitigate the potential for an attack. A local user with the ability to manipulate device memory mappings could craft bvecs that cross pagemap boundaries, leading to corruption or privileged information exposure. The recommended mitigation is a kernel update that incorporates the check added by commit 13920e4b7b784b40cf4519ff1f0f3e513476a499.

Generated by OpenCVE AI on May 28, 2026 at 11:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel release that incorporates the patch adding a pgmap boundary check to biovec_phys_mergeable (the fix is introduced by commit 13920e4b7b784b40cf4519ff1f0f3e513476a499).
  • If a kernel update cannot be applied immediately, limit the use of zone device memory that may span multiple pagemaps or configure the system to avoid registering zone device memory in multiple chunks.
  • Monitor kernel logs and system behavior for signs of abnormal bvec merging or memory corruption, and consider enabling kernel hardening features such as KASLR and strict memory isolation.

Generated by OpenCVE AI on May 28, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285
CWE-456

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.
Title block: add pgmap check to biovec_phys_mergeable
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-28T09:35:26.735Z

Reserved: 2026-05-13T15:03:33.098Z

Link: CVE-2026-46115

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-28T10:16:26.980

Modified: 2026-05-28T10:16:26.980

Link: CVE-2026-46115

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T12:15:19Z

Weaknesses