Description
In the Linux kernel, the following vulnerability has been resolved:

mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

Sashiko noticed an out-of-bounds read [1].

In spi_nor_params_show(), the snor_f_names array is passed to
spi_nor_print_flags() using sizeof(snor_f_names).

Since snor_f_names is an array of pointers, sizeof() returns the total
number of bytes occupied by the pointers
(element_count * sizeof(void *))
rather than the element count itself. On 64-bit systems, this makes the
passed length 8x larger than intended.

Inside spi_nor_print_flags(), the 'names_len' argument is used to
bounds-check the 'names' array access. An out-of-bounds read occurs
if a flag bit is set that exceeds the array's actual element count
but is within the inflated byte-size count.

Correct this by using ARRAY_SIZE() to pass the actual number of
string pointers in the array.
Published: 2026-05-28
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel's flash memory driver, spi-nor, contains an out-of-bounds read bug in spi_nor_params_show(). The function mistakes the size of an array of pointers for the number of elements by using sizeof on the pointer array, which on 64-bit systems inflates the length eight times. This miscalculation is used by spi_nor_print_flags() to bounds-check array accesses, allowing a flag that exceeds the real element count but falls within the inflated byte size to trigger a read beyond the array boundary. The exposed data can include sensitive kernel memory, resulting in information disclosure. The weakness corresponds to CWE-125 (Out-of-bounds Read) and CWE-788 (Read or Write of Invalid Memory Location).

Affected Systems

All Linux kernel versions that contain the debugfs spi-nor implementation are affected until the fix is applied. The issue is present in the source tree for the Linux kernel as a whole, with no version restrictions listed. System administrators should consider any kernel running the buggy code as susceptible.

Risk and Exploitability

The vulnerability has a CVSS score of 7.1, EPSS < 1%, and is not listed in the CISA KEV catalog. While the description does not explicitly state an exploitation path, the code path involves debugfs, so the likely attack vector is local access to debugfs, which is typically available only to users with root privileges or those granted debugfs permissions. Thus the attack surface is local and requires elevated or privileged user access. An attacker who can read the out-of-bounds data might use the information disclosure to facilitate further local privilege escalation or sensitive data extraction; no remote exploitation path is described.

Generated by OpenCVE AI on June 11, 2026 at 04:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Linux kernel version that incorporates the fix for spi_nor_params_show.
  • If an immediate kernel upgrade is not possible, restrict unprivileged users from accessing the debugfs filesystem to mitigate exposure of spi-nor parameters.
  • As a temporary defensive measure, consider mounting debugfs with read-only permissions or unmounting it in environments where the vulnerability poses the greatest risk.

Generated by OpenCVE AI on June 11, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Fri, 29 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-680

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 28 May 2026 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-680
CWE-788

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Sashiko noticed an out-of-bounds read [1]. In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names). Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers (element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended. Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count. Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.
Title mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:01:26.530Z

Reserved: 2026-05-13T15:03:33.104Z

Link: CVE-2026-46190

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:34.640

Modified: 2026-06-11T03:10:46.520

Link: CVE-2026-46190

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46190 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T04:30:04Z

Weaknesses
  • CWE-125

    Out-of-bounds Read

  • CWE-788

    Access of Memory Location After End of Buffer