CVE-2026-46294
N/A
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm: fix a buffer overflow in ioctl processing
Tony Asleson (using Claude) found a buffer overflow in dm-ioctl in the function retrieve_status:
- The code in retrieve_status checks that the output string fits into the output buffer and writes the output string there
- Then, the code aligns the "outptr" variable to the next 8-byte boundary: outptr = align_ptr(outptr);
- The alignment doesn't check overflow, so outptr could point past the buffer end
- The "for" loop is iterated again, it executes: remaining = len - (outptr - outbuf);
- If "outptr" points past "outbuf + len", the arithmetics wraps around and the variable "remaining" contains unusually high number
- With "remaining" being high, the code writes more data past the end of the buffer
Luckily, this bug has no security implications because:
- Only root can issue device mapper ioctls
- The commonly used libraries that communicate with device mapper (libdevmapper and devicemapper-rs) use buffer size that is aligned to 8 bytes - thus, "outptr = align_ptr(outptr)" can't overshoot the input buffer and the bug can't happen accidentally
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < c8c5311237448f6ffeecc9aec2362e3692623668 | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 448ee8fb79c26a26599ffa4b2adeb4322d3d3d8c | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 526ff9126a0ae087b65726e1faf31114c718020d | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < f0b0b09d9840838ae77ccdd6a62de0daef4e6e0a | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < d271631023cbe1cbe7c31a0275ab797883be6e0a | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 5af6a879e915ae7bcd83695c316ebb32e1c61bc2 | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 8daa6c708ef524089ae43f2aed9190acb26d7df8 | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 2fa49cc884f6496a915c35621ba4da35649bf159 | affected |
| Linux | Linux | 2.6.12 | affected |
| Linux | Linux | 0 < 2.6.12 | unaffected |
| Linux | Linux | 5.10.258 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.209 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.175 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.140 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.88 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.30 <= 6.18.* | unaffected |
| Linux | Linux | 7.0.7 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/c8c5311237448f6ffeecc9aec2362e3692623668
- https://git.kernel.org/stable/c/448ee8fb79c26a26599ffa4b2adeb4322d3d3d8c
- https://git.kernel.org/stable/c/526ff9126a0ae087b65726e1faf31114c718020d
- https://git.kernel.org/stable/c/f0b0b09d9840838ae77ccdd6a62de0daef4e6e0a
- https://git.kernel.org/stable/c/d271631023cbe1cbe7c31a0275ab797883be6e0a
- https://git.kernel.org/stable/c/5af6a879e915ae7bcd83695c316ebb32e1c61bc2
- https://git.kernel.org/stable/c/8daa6c708ef524089ae43f2aed9190acb26d7df8
- https://git.kernel.org/stable/c/2fa49cc884f6496a915c35621ba4da35649bf159
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.