Description
In the Linux kernel, the following vulnerability has been resolved:

block: add pgmap check to biovec_phys_mergeable

biovec_phys_mergeable() is used by the request merge, DMA mapping,
and integrity merge paths to decide if two physically contiguous
bvec segments can be coalesced into one. It currently has no check
for whether the segments belong to different dev_pagemaps.

When zone device memory is registered in multiple chunks, each chunk
gets its own dev_pagemap. A single bio can legitimately contain
bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at
pgmap boundaries but the outer loop in bio_iov_iter_get_pages()
continues filling the same bio. If such bvecs are physically
contiguous, biovec_phys_mergeable() will coalesce them, making it
impossible to recover the correct pgmap for the merged segment
via page_pgmap().

Add a zone_device_pages_have_same_pgmap() check to prevent merging
bvec segments that span different pgmaps.
Published: 2026-05-28
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The biovec_phys_mergeable() function is used by the kernel to combine physically contiguous bvec segments in block operations, DMA mapping, and integrity merge paths. It currently does not check whether the segments belong to the same dev_pagemap. When zone device memory is registered in multiple chunks, each chunk receives its own dev_pagemap and a single bio can contain bvecs from different pgmaps. If those segments are physically contiguous, biovec_phys_mergeable() will merge them, resulting in a merged segment whose underlying pagemap cannot be recovered accurately via page_pgmap(). Based on the description, it is inferred that this oversight could lead to data that should be segregated by pagemap boundaries being incorrectly combined, potentially affecting memory integrity or leaking information that belongs to another pagemap.

Affected Systems

All Linux kernel versions prior to the patch that introduces the pgmap boundary check are vulnerable. Any distribution that ships such a kernel release is affected, regardless of the vendor, because the vulnerability resides in core kernel memory handling logic.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, and the EPSS score is less than 1%, suggesting low current exploitation probability. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation would likely require local or network access that allows an attacker to manipulate device memory mappings or craft a bio that spans different pagemap boundaries. The risk is critical, and the primary mitigation is to update the kernel to a version that includes the boundary check added by commit 13920e4b7b784b40cf4519ff1f0f3e513476a499.

Generated by OpenCVE AI on May 30, 2026 at 13:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel release that incorporates the patch adding a pgmap boundary check to biovec_phys_mergeable (commit 13920e4b7b784b40cf4519ff1f0f3e513476a499).
  • If an immediate kernel upgrade is not possible, limit the use of zone device memory that may span multiple pagemap boundaries or configure the system to avoid registering zone device memory in multiple chunks.
  • Monitor kernel logs and system behavior for signs of abnormal bvec merging or memory corruption, and consider enabling kernel hardening features such as KASLR and strict memory isolation.

Generated by OpenCVE AI on May 30, 2026 at 13:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 29 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285
CWE-456

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-372
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 28 May 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285
CWE-456

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.
Title block: add pgmap check to biovec_phys_mergeable
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:55:32.974Z

Reserved: 2026-05-13T15:03:33.098Z

Link: CVE-2026-46115

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:26.980

Modified: 2026-06-17T10:53:05.550

Link: CVE-2026-46115

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46115 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T13:15:24Z

Weaknesses
  • CWE-372

    Incomplete Internal State Distinction