CVE-2026-46130 - Vulnerability Details

- dm-verity-fec: fix reading parity bytes split across blocks (take 3)

Description

In the Linux kernel, the following vulnerability has been resolved:

dm-verity-fec: fix reading parity bytes split across blocks (take 3)

fec_decode_bufs() assumes that the parity bytes of the first RS codeword
it decodes are never split across parity blocks.

This assumption is false. Consider v->fec->block_size == 4096 &&
v->fec->roots == 17 && fio->nbufs == 1, for example. In that case, each
call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs <<
DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.

Considering that the parity data for each message block starts on a
block boundary, the byte alignment in the parity data will iterate
through 272*i mod 4096 until the 3 parity blocks have been consumed. On
the 16th call (i=15), the alignment will be 4080 bytes into the first
block. Only 16 bytes remain in that block, but 17 parity bytes will be
needed. The code reads out-of-bounds from the parity block buffer.

Fortunately this doesn't normally happen, since it can occur only for
certain non-default values of fec_roots *and* when the maximum number of
buffers couldn't be allocated due to low memory. For example with
block_size=4096 only the following cases are affected:

fec_roots=17: nbufs in [1, 3, 5, 15]
fec_roots=19: nbufs in [1, 229]
fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]
fec_roots=23: nbufs in [1, 89]

Regardless, fix it by refactoring how the parity blocks are read.

Published: 2026-05-28

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The dm-verity FEC (Reed‑Solomon) subsystem in the Linux kernel contains an assumption that parity bytes belonging to the first codeword are never split across parity blocks. For certain block sizes and root counts, such as block_size 4096 with fec_roots 17,19,21, or 23, and when the number of available buffers is limited, the parity data of a message block straddles a block boundary. Under these circumstances the decoder attempts to read more parity bytes than exist in the current block, causing an out‑of‑bounds read of the parity buffer within kernel memory. The fix re‑implements how parity blocks are accessed to eliminate the boundary condition that leads to the over-read.

Affected Systems

Any Linux system whose kernel implements dm-verity with FEC support and that has not applied the patch contained in commit 3d1b4e2d8ac0a1a1390a117f61ce0ca1c47e3bcb. The flaw manifests only for non‑default fec_roots, block size, and buffer allocation; the most common vulnerable case is block_size of 4096 with fec_roots set to 17, 19, 21, or 23 and a low number of buffers available (e.g., 1, 3, 5, 15, 1‑229, etc.). Any administrator or firmware that configures dm‑verity with these parameters may expose the system to the over‑read.

Risk and Exploitability

The CVSS score has not been issued and the EPSS data is not available. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a configuration that leads to insufficient buffer allocation for the parity data, which may be achieved by selecting non‑default fec_roots values or by creating low‑memory conditions that prevent allocation of the necessary buffers. Once the out‑of‑bounds read occurs, it could potentially expose kernel memory contents or destabilize the system, though the exact impact depends on the execution context. The overall risk is therefore limited by the difficulty of meeting the preconditions for the boundary case and by the local nature of the vulnerability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`6df90c02bae468a3a6110bafbc659884d0c4966c`	affected	< 3d1b4e2d8ac0a1a1390a117f61ce0ca1c47e3bcb
`6df90c02bae468a3a6110bafbc659884d0c4966c`	affected	< 430a05cb926f6bdf53e81460a2c3a553257f3f61
`6bc6ee31113b05db605694491bdeb2b1730142f1`	affected	—
`12caa73a28f0ae147ec0356b45091edf2462462b`	affected	—
`fc8943886629e26de34867db302c74d465510826`	affected	—
`6.1.125`	affected	< 6.2
`6.6.72`	affected	< 6.7
`6.12.10`	affected	< 6.13

Linux

affected

Version	Status	Constraints
`6.13`	affected	—
`0`	unaffected	< 6.13
`7.0.7`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6df90c02bae468a3a6110bafbc659884d0c4966c,3d1b4e2d8ac0a1a1390a117f61ce0ca1c47e3bcb)`	affected	code_commit	—
`[6df90c02bae468a3a6110bafbc659884d0c4966c,430a05cb926f6bdf53e81460a2c3a553257f3f61)`	affected	code_commit	—
`[6bc6ee31113b05db605694491bdeb2b1730142f1,6bc6ee31113b05db605694491bdeb2b1730142f1]`	affected	code_commit	—
`[12caa73a28f0ae147ec0356b45091edf2462462b,12caa73a28f0ae147ec0356b45091edf2462462b]`	affected	code_commit	—
`[fc8943886629e26de34867db302c74d465510826,fc8943886629e26de34867db302c74d465510826]`	affected	code_commit	—
`[6.1.125,6.2)`	affected	generic	—
`[6.6.72,6.7)`	affected	generic	—
`[6.12.10,6.13)`	affected	generic	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.13,6.13]`	affected	generic	—
`[0,6.13)`	unaffected	generic	—
`[7.0.7,7.1.0]`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a release that contains the dm-verity‑FEC parity read fix
Configure dm‑verity to use default or safe fec_roots values (e.g., 15) and block sizes that avoid the boundary cases
Ensure sufficient memory allocation or monitor for low‑memory conditions and disable dm‑verity when it is not required

Generated by OpenCVE AI on May 28, 2026 at 13:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3d1b4e2d8ac0a1a1390a117f61ce0ca1c47e3bcb
https://git.kernel.org/stable/c/430a05cb926f6bdf53e81460a2c3a553257f3f61

History

Thu, 28 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: dm-verity-fec: fix reading parity bytes split across blocks (take 3) fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks. This assumption is false. Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example. In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes. Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272i mod 4096 until the 3 parity blocks have been consumed. On the 16th call (i=15), the alignment will be 4080 bytes into the first block. Only 16 bytes remain in that block, but 17 parity bytes will be needed. The code reads out-of-bounds from the parity block buffer. Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots and* when the maximum number of buffers couldn't be allocated due to low memory. For example with block_size=4096 only the following cases are affected: fec_roots=17: nbufs in [1, 3, 5, 15] fec_roots=19: nbufs in [1, 229] fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195] fec_roots=23: nbufs in [1, 89] Regardless, fix it by refactoring how the parity blocks are read.
Title		dm-verity-fec: fix reading parity bytes split across blocks (take 3)
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3d1b4e2d8ac0a1a1390a117f61ce0ca1c47e3bcb https://git.kernel.org/stable/c/430a05cb926f6bdf53e81460a2c3a553257f3f61

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:35:45.387Z

Updated: 2026-05-28T09:35:45.387Z

Reserved: 2026-05-13T15:03:33.099Z

Link: CVE-2026-46130

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:28.570

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46130

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T14:00:18Z

Weaknesses

CWE-125

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object