Description
In the Linux kernel, the following vulnerability has been resolved:

lib/scatterlist: fix length calculations in extract_kvec_to_sg

Patch series "Fix bugs in extract_iter_to_sg()", v3.

Fix bugs in the kvec and user variants of extract_iter_to_sg. This series
is growing due to useful remarks made by sashiko.dev.

The main bugs are:
- The length for an sglist entry when extracting from
a kvec can exceed the number of bytes in the page. This
is obviously not intended.
- When extracting a user buffer the sglist is temporarily
used as a scratch buffer for extracted page pointers.
If the sglist already contains some elements this scratch
buffer could overlap with existing entries in the sglist.

The series adds test cases to the kunit_iov_iter test that demonstrate all
of these bugs. Additionally, there is a memory leak fix for the test
itself.

The bugs were orignally introduced into kernel v6.3 where the function
lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in
v6.5. Thus the actual fix is only marked for backports to v6.5+.


This patch (of 5):

When extracting from a kvec to a scatterlist, do not cross page
boundaries. The required length was already calculated but not used as
intended.

Adjust the copied length if the loop runs out of sglist entries without
extracting everything.

While there, return immediately from extract_iter_to_sg if there are no
sglist entries at all.

A subsequent commit will add kunit test cases that demonstrate that the
patch is necessary.
Published: 2026-06-08
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, the bug occurs while converting a kvec or user buffer into a scatterlist. The length of a scatterlist entry can unintentionally exceed a page boundary, and temporary use of the list for paging pointers can overlap with existing entries. These conditions allow unchecked memory writes in kernel space, potentially corrupting kernel memory and causing a system crash. This is a buffer overflow (CWE‑787) vulnerability.

Affected Systems

The defect first appeared in kernel 6.3 and was moved to lib/scatterlist.c in 6.5. Thus the backported fix applies to backported kernels after 6.5. Therefore systems running any kernel version from 6.3 up to the point where the backport is applied remain vulnerable, while kernel 6.5 and later that include the patch are protected.

Risk and Exploitability

The CVSS score of 9.8 indicates high severity, and the EPSS score is < 1%, implying a very low but nonzero exploitation probability; consequently the baseline risk is low. Based on the description, the vulnerability requires kernel execution or the ability to influence kernel memory—typically a privileged or local attacker; this inference is based on the kernel‑space nature of the code. Because the affected code is exercised by normal kernel operations that handle user buffers, the likely attack vector is providing crafted user buffers through regular kernel interfaces, which could trigger a denial‑of-service. The absence from CISA’s KEV catalog indicates there are no known exploits in the wild at this time.

Generated by OpenCVE AI on June 14, 2026 at 07:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the system to Linux kernel 6.5 or newer, or to any backport that includes the "Fix bugs in extract_iter_to_sg()" series.
  • If a newer kernel cannot be installed, download the backported patch series, apply it to the current kernel source, rebuild the kernel, and reinstall the updated module set.
  • While the patch is pending, restrict use of functions that invoke extract_iter_to_sg for untrusted or oversized user buffers; consider disabling or limiting drivers or kernel modules that exercise the vulnerable code path.

Generated by OpenCVE AI on June 14, 2026 at 07:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 14 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 09 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-129

Tue, 09 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Mon, 08 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-129

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series "Fix bugs in extract_iter_to_sg()", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.
Title lib/scatterlist: fix length calculations in extract_kvec_to_sg
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:06:42.893Z

Reserved: 2026-05-13T15:03:33.110Z

Link: CVE-2026-46289

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T17:16:47.097

Modified: 2026-06-14T06:16:23.273

Link: CVE-2026-46289

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-08T00:00:00Z

Links: CVE-2026-46289 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-14T07:30:10Z

Weaknesses