VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 3, 2026· Updated Apr 18, 2026

CVE-2026-23474

CVE-2026-23474

Description

In the Linux kernel, the following vulnerability has been resolved:

mtd: Avoid boot crash in RedBoot partition table parser

Given CONFIG_FORTIFY_SOURCE=y and a recent compiler, commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when available") produces the warning below and an oops.

Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000 ------------[ cut here ]------------ WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1 memcmp: detected buffer overflow: 15 byte read of buffer size 14 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE

As Kees said, "'names' is pointing to the final 'namelen' many bytes of the allocation ... 'namelen' could be basically any length at all. This fortify warning looks legit to me -- this code used to be reading beyond the end of the allocation."

Since the size of the dynamic allocation is calculated with strlen() we can use strcmp() instead of memcmp() and remain within bounds.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A RedBoot partition table parser in the Linux kernel uses memcmp with a length that may exceed the allocation, triggering a fortify warning and boot crash when CONFIG_FORTIFY_SOURCE is enabled with recent compilers.

Vulnerability

CVE-2026-23474 describes a buffer overread in the Linux kernel's RedBoot partition table parser (mtd). When CONFIG_FORTIFY_SOURCE=y is set with a recent compiler, the aggressive bounds checking now raises a memcmp: detected buffer overflow warning, followed by a kernel oops during boot [1]. The root cause is that the code uses memcmp() with a namelen length argument that can be up to 14 bytes, but the destination pointer names only points into an allocation of size 14 (the total available space). As explained in the commit message, `'names' is pointing to the final 'namelen' many bytes of the allocation ... 'namelen' could be basically any length at all. This fortify warning looks legit to me -- this code used to be reading beyond the end of the allocation.'

Exploitation

This vulnerability is triggered during normal boot when the kernel parses the RedBoot partition table from flash. No special privileges or authentication are required, as it occurs in the early boot path before userspace is available. An attacker who can control the partition table data on flash (e.g., via physical access or a previous compromise) could potentially craft a malicious table to induce the overread, though the primary impact is a denial of service from the crash.

Impact

The immediate consequence is a kernel crash (oops) that prevents the system from booting. While the overread may not allow data exfiltration or privilege escalation in the common case, a denial-of-service condition is reliably triggered on systems with RedBoot partition tables when the fortified kernel is used.

Mitigation

The fix has been applied in the Linux kernel stable tree [1][2][3][4] and replaces the unsafe memcmp() with strcmp(), which naturally stops at a null terminator and thus stays within the allocated buffer. Users should update to a kernel version containing the patch or backport the change. No workaround is available for unpatched kernels; disabling CONFIG_FORTIFY_SOURCE would avoid the crash but would remove a valuable security hardening feature.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.