Description
In the Linux kernel, the following vulnerability has been resolved:

dm: fix a buffer overflow in ioctl processing

Tony Asleson (using Claude) found a buffer overflow in dm-ioctl in the
function retrieve_status:

1. The code in retrieve_status checks that the output string fits into
the output buffer and writes the output string there
2. Then, the code aligns the "outptr" variable to the next 8-byte
boundary:
outptr = align_ptr(outptr);
3. The alignment doesn't check overflow, so outptr could point past the
buffer end
4. The "for" loop is iterated again, it executes:
remaining = len - (outptr - outbuf);
5. If "outptr" points past "outbuf + len", the arithmetics wraps around
and the variable "remaining" contains unusually high number
6. With "remaining" being high, the code writes more data past the end of
the buffer

Luckily, this bug has no security implications because:
1. Only root can issue device mapper ioctls
2. The commonly used libraries that communicate with device mapper
(libdevmapper and devicemapper-rs) use buffer size that is aligned to
8 bytes - thus, "outptr = align_ptr(outptr)" can't overshoot the input
buffer and the bug can't happen accidentally
Published: 2026-06-08
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a buffer overflow in the Linux kernel's device mapper ioctl handler function retrieve_status. The routine aligns an output pointer to the next 8‑byte boundary without checking bounds, which can cause the pointer to advance past the allocated buffer and allow subsequent writes to overwrite memory beyond the intended region. The flaw may only be triggered by root‑privileged requests, so non‑privileged users cannot exploit it directly.

Affected Systems

The flaw exists in the device mapper subsystem of the Linux kernel and affects all kernel installations that have not integrated the upstream commit that patches the overflow. Administrators should verify that their kernel package includes the latest patch set or upgrade to a distribution release that contains the fix.

Risk and Exploitability

The CVSS score of 7.0 indicates medium severity, reflecting the risk of kernel memory corruption when a root user issues a malformed ioctl. The EPSS metric is unavailable and the vulnerability is not in the CISA KEV catalog, suggesting no known widespread exploitation yet. Attackers with root privileges could intentionally craft unaligned buffers to trigger the overflow, potentially overwriting kernel memory; however, typical library usage aligns buffers to 8‑byte boundaries, reducing the likelihood of accidental exploitation.

Generated by OpenCVE AI on June 9, 2026 at 03:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that fixes the dm ioctl buffer overflow, ensuring the system is running a version that includes the upstream commit.
  • Reboot the machine to activate the updated kernel and apply the patch.
  • Limit root access by enforcing the principle of least privilege or restricting capabilities that allow device mapper ioctl calls.

Generated by OpenCVE AI on June 9, 2026 at 03:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120

Tue, 09 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Mon, 08 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: dm: fix a buffer overflow in ioctl processing Tony Asleson (using Claude) found a buffer overflow in dm-ioctl in the function retrieve_status: 1. The code in retrieve_status checks that the output string fits into the output buffer and writes the output string there 2. Then, the code aligns the "outptr" variable to the next 8-byte boundary: outptr = align_ptr(outptr); 3. The alignment doesn't check overflow, so outptr could point past the buffer end 4. The "for" loop is iterated again, it executes: remaining = len - (outptr - outbuf); 5. If "outptr" points past "outbuf + len", the arithmetics wraps around and the variable "remaining" contains unusually high number 6. With "remaining" being high, the code writes more data past the end of the buffer Luckily, this bug has no security implications because: 1. Only root can issue device mapper ioctls 2. The commonly used libraries that communicate with device mapper (libdevmapper and devicemapper-rs) use buffer size that is aligned to 8 bytes - thus, "outptr = align_ptr(outptr)" can't overshoot the input buffer and the bug can't happen accidentally
Title dm: fix a buffer overflow in ioctl processing
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:07:06.194Z

Reserved: 2026-05-13T15:03:33.110Z

Link: CVE-2026-46294

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T17:16:47.757

Modified: 2026-06-08T17:16:47.757

Link: CVE-2026-46294

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-08T00:00:00Z

Links: CVE-2026-46294 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T03:45:26Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound