CVE-2026-46294 - Vulnerability Details

- dm: fix a buffer overflow in ioctl processing

Description

In the Linux kernel, the following vulnerability has been resolved:

dm: fix a buffer overflow in ioctl processing

Tony Asleson (using Claude) found a buffer overflow in dm-ioctl in the
function retrieve_status:

1. The code in retrieve_status checks that the output string fits into
the output buffer and writes the output string there
2. Then, the code aligns the "outptr" variable to the next 8-byte
boundary:
outptr = align_ptr(outptr);
3. The alignment doesn't check overflow, so outptr could point past the
buffer end
4. The "for" loop is iterated again, it executes:
remaining = len - (outptr - outbuf);
5. If "outptr" points past "outbuf + len", the arithmetics wraps around
and the variable "remaining" contains unusually high number
6. With "remaining" being high, the code writes more data past the end of
the buffer

Luckily, this bug has no security implications because:
1. Only root can issue device mapper ioctls
2. The commonly used libraries that communicate with device mapper
(libdevmapper and devicemapper-rs) use buffer size that is aligned to
8 bytes - thus, "outptr = align_ptr(outptr)" can't overshoot the input
buffer and the bug can't happen accidentally

Published: 2026-06-08

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a buffer overflow in the Linux kernel's device mapper ioctl handling routine retrieve_status. The code aligns a pointer without checking bounds, allowing the pointer to exceed the intended output buffer and write beyond it. While only root users can issue device mapper ioctls, the overflow could corrupt kernel memory or trigger a crash if the buffer alignment is violated. The vendor notes that the commonly used libraries provide 8‑byte aligned buffers, preventing incidental exploitation.

Affected Systems

The flaw exists in the kernel's device mapper subsystem and affects all Linux kernel installations that have not applied the latest upstream commit. Specific affected versions are not listed, so administrators should ensure the kernel is patched to the latest stable release available from their distribution or upstream.

Risk and Exploitability

The issue carries no documented exploitation and is restricted to privileged users; therefore the immediate risk is low. Because EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, the likelihood of real‑world attacks is assumed minimal. Nonetheless, an attacker with root privileges who intentionally misuses unaligned buffers could exploit it to overwrite memory, but standard usage with aligned buffers mitigates this risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< c8c5311237448f6ffeecc9aec2362e3692623668
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 448ee8fb79c26a26599ffa4b2adeb4322d3d3d8c
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 526ff9126a0ae087b65726e1faf31114c718020d
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< f0b0b09d9840838ae77ccdd6a62de0daef4e6e0a
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d271631023cbe1cbe7c31a0275ab797883be6e0a
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 5af6a879e915ae7bcd83695c316ebb32e1c61bc2
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 8daa6c708ef524089ae43f2aed9190acb26d7df8
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 2fa49cc884f6496a915c35621ba4da35649bf159
`0`	affected	< 5.10.258
`0`	affected	< 5.15.209
`0`	affected	< 6.1.175
`0`	affected	< 6.6.140
`0`	affected	< 6.12.88
`0`	affected	< 6.18.30
`0`	affected	< 7.0.7

Linux

affected

Version	Status	Constraints
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.140`	unaffected	≤ 6.6.*
`6.12.88`	unaffected	≤ 6.12.*
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,c8c5311237448f6ffeecc9aec2362e3692623668)`	affected	generic	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,448ee8fb79c26a26599ffa4b2adeb4322d3d3d8c)`	affected	generic	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,526ff9126a0ae087b65726e1faf31114c718020d)`	affected	generic	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f0b0b09d9840838ae77ccdd6a62de0daef4e6e0a)`	affected	generic	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d271631023cbe1cbe7c31a0275ab797883be6e0a)`	affected	generic	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,5af6a879e915ae7bcd83695c316ebb32e1c61bc2)`	affected	generic	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,8daa6c708ef524089ae43f2aed9190acb26d7df8)`	affected	generic	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,2fa49cc884f6496a915c35621ba4da35649bf159)`	affected	generic	—
`[0,5.10.258)`	affected	semver	—
`[0,5.15.209)`	affected	semver	—
`[0,6.1.175)`	affected	semver	—
`[0,6.6.140)`	affected	semver	—
`[0,6.12.88)`	affected	semver	—
`[0,6.18.30)`	affected	semver	—
`[0,7.0.7)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0,5.10.*]`	unaffected	semver	—
`[0,5.15.*]`	unaffected	semver	—
`[0,6.1.*]`	unaffected	semver	—
`[0,6.6.*]`	unaffected	semver	—
`[0,6.12.*]`	unaffected	semver	—
`[0,6.18.*]`	unaffected	semver	—
`[0,7.0.*]`	unaffected	semver	—
`[0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that contains the upstream commit fixing the bug.
Verify that library implementations of device mapper, such as libdevmapper and devicemapper-rs, use 8‑byte aligned buffers and update them if necessary.
For custom tools that interact with the device mapper, inspect ioctl handling code to ensure proper buffer bounds checking and alignments are maintained.

Generated by OpenCVE AI on June 8, 2026 at 18:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2fa49cc884f6496a915c35621ba4da35649bf159
https://git.kernel.org/stable/c/448ee8fb79c26a26599ffa4b2adeb4322d3d3d8c
https://git.kernel.org/stable/c/526ff9126a0ae087b65726e1faf31114c718020d
https://git.kernel.org/stable/c/5af6a879e915ae7bcd83695c316ebb32e1c61bc2
https://git.kernel.org/stable/c/8daa6c708ef524089ae43f2aed9190acb26d7df8
https://git.kernel.org/stable/c/c8c5311237448f6ffeecc9aec2362e3692623668
https://git.kernel.org/stable/c/d271631023cbe1cbe7c31a0275ab797883be6e0a
https://git.kernel.org/stable/c/f0b0b09d9840838ae77ccdd6a62de0daef4e6e0a

History

Mon, 08 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-120

Mon, 08 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: dm: fix a buffer overflow in ioctl processing Tony Asleson (using Claude) found a buffer overflow in dm-ioctl in the function retrieve_status: 1. The code in retrieve_status checks that the output string fits into the output buffer and writes the output string there 2. Then, the code aligns the "outptr" variable to the next 8-byte boundary: outptr = align_ptr(outptr); 3. The alignment doesn't check overflow, so outptr could point past the buffer end 4. The "for" loop is iterated again, it executes: remaining = len - (outptr - outbuf); 5. If "outptr" points past "outbuf + len", the arithmetics wraps around and the variable "remaining" contains unusually high number 6. With "remaining" being high, the code writes more data past the end of the buffer Luckily, this bug has no security implications because: 1. Only root can issue device mapper ioctls 2. The commonly used libraries that communicate with device mapper (libdevmapper and devicemapper-rs) use buffer size that is aligned to 8 bytes - thus, "outptr = align_ptr(outptr)" can't overshoot the input buffer and the bug can't happen accidentally
Title		dm: fix a buffer overflow in ioctl processing
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2fa49cc884f6496a915c35621ba4da35649bf159 https://git.kernel.org/stable/c/448ee8fb79c26a26599ffa4b2adeb4322d3d3d8c https://git.kernel.org/stable/c/526ff9126a0ae087b65726e1faf31114c718020d https://git.kernel.org/stable/c/5af6a879e915ae7bcd83695c316ebb32e1c61bc2 https://git.kernel.org/stable/c/8daa6c708ef524089ae43f2aed9190acb26d7df8 https://git.kernel.org/stable/c/c8c5311237448f6ffeecc9aec2362e3692623668 https://git.kernel.org/stable/c/d271631023cbe1cbe7c31a0275ab797883be6e0a https://git.kernel.org/stable/c/f0b0b09d9840838ae77ccdd6a62de0daef4e6e0a

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-08T15:46:21.401Z

Updated: 2026-06-08T15:46:21.401Z

Reserved: 2026-05-13T15:03:33.110Z

Link: CVE-2026-46294

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-08T17:16:47.757

Modified: 2026-06-08T17:16:47.757

Link: CVE-2026-46294

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-08T20:00:15Z

Weaknesses

CWE-120

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object