CVE-2026-46161
Description
In the Linux kernel, the following vulnerability has been resolved:
md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the "improved" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero.
Validate nc and fc immediately after extraction, returning -1 if either is zero.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A divide-by-zero vulnerability in the Linux kernel's md/raid10 driver allows a local attacker to crash the system by setting a zero far_copies value in the RAID10 layout parameter.
Vulnerability
In the Linux kernel's md/raid10 driver, the function setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without validating that they are non-zero. When fc=0 and the "improved" far set layout is selected, the calculation geo->far_set_size = disks / fc triggers a divide-by-zero, causing a kernel crash. This affects Linux kernel versions prior to the inclusion of commit 4af2e558e6fd [1].
Exploitation
An attacker must have the ability to configure a RAID10 array, typically requiring root privileges or access to the mdadm utility. By specifying a layout parameter with far_copies=0 and selecting the improved far set layout, the attacker can trigger the divide-by-zero when the kernel processes the configuration. No user interaction beyond setting the parameter is needed.
Impact
Successful exploitation results in a kernel panic (denial of service), crashing the system. There is no evidence of privilege escalation or data corruption beyond the crash.
Mitigation
The fix is included in Linux kernel commit 4af2e558e6fd [1], which validates that nc and fc are non-zero and returns an error if either is zero. Users should apply the patch or update to a kernel version containing this commit. No workaround is available.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
10913d556e4bd1md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
1 file changed · +2 −1
drivers/md/raid10.c+2 −1 modifieddiff --git a/drivers/md/raid10.c b/drivers/md/raid10.c index 706037d2a87c45..2815c05d1c9f0b 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -3856,6 +3856,8 @@ static int setup_geo(struct geom *geo, struct mddev *mddev, enum geo_type new) nc = layout & 255; fc = (layout >> 8) & 255; fo = layout & (1<<16); + if (!nc || !fc) + return -1; geo->raid_disks = disks; geo->near_copies = nc; geo->far_copies = fc; -- cgit 1.3-korg
4af2e558e6fdmd/raid10: fix divide-by-zero in setup_geo() with zero far_copies
1 file changed · +2 −1
drivers/md/raid10.c+2 −1 modifieddiff --git a/drivers/md/raid10.c b/drivers/md/raid10.c index 99aabf5734f5d9..fd03c01bcf2571 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -3986,6 +3986,8 @@ static int setup_geo(struct geom *geo, struct mddev *mddev, enum geo_type new) nc = layout & 255; fc = (layout >> 8) & 255; fo = layout & (1<<16); + if (!nc || !fc) + return -1; geo->raid_disks = disks; geo->near_copies = nc; geo->far_copies = fc; -- cgit 1.3-korg
9d8e03b9a2b1md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
1 file changed · +2 −1
drivers/md/raid10.c+2 −1 modifieddiff --git a/drivers/md/raid10.c b/drivers/md/raid10.c index 4b02313854b67c..5cc827cff9181e 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -3872,6 +3872,8 @@ static int setup_geo(struct geom *geo, struct mddev *mddev, enum geo_type new) nc = layout & 255; fc = (layout >> 8) & 255; fo = layout & (1<<16); + if (!nc || !fc) + return -1; geo->raid_disks = disks; geo->near_copies = nc; geo->far_copies = fc; -- cgit 1.3-korg
f9ddb621b232md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
1 file changed · +2 −1
drivers/md/raid10.c+2 −1 modifieddiff --git a/drivers/md/raid10.c b/drivers/md/raid10.c index 12cbeec026c55c..698d169628a02d 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -3791,6 +3791,8 @@ static int setup_geo(struct geom *geo, struct mddev *mddev, enum geo_type new) nc = layout & 255; fc = (layout >> 8) & 255; fo = layout & (1<<16); + if (!nc || !fc) + return -1; geo->raid_disks = disks; geo->near_copies = nc; geo->far_copies = fc; -- cgit 1.3-korg
9aa6d860b093md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
1 file changed · +2 −1
drivers/md/raid10.c+2 −1 modifieddiff --git a/drivers/md/raid10.c b/drivers/md/raid10.c index 4901ebe45c8755..39085e7dd6d26d 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -3791,6 +3791,8 @@ static int setup_geo(struct geom *geo, struct mddev *mddev, enum geo_type new) nc = layout & 255; fc = (layout >> 8) & 255; fo = layout & (1<<16); + if (!nc || !fc) + return -1; geo->raid_disks = disks; geo->near_copies = nc; geo->far_copies = fc; -- cgit 1.3-korg
9aa6d860b093md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
1 file changed · +2 −1
drivers/md/raid10.c+2 −1 modifieddiff --git a/drivers/md/raid10.c b/drivers/md/raid10.c index 4901ebe45c8755..39085e7dd6d26d 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -3791,6 +3791,8 @@ static int setup_geo(struct geom *geo, struct mddev *mddev, enum geo_type new) nc = layout & 255; fc = (layout >> 8) & 255; fo = layout & (1<<16); + if (!nc || !fc) + return -1; geo->raid_disks = disks; geo->near_copies = nc; geo->far_copies = fc; -- cgit 1.3-korg
4af2e558e6fdmd/raid10: fix divide-by-zero in setup_geo() with zero far_copies
1 file changed · +2 −1
drivers/md/raid10.c+2 −1 modifieddiff --git a/drivers/md/raid10.c b/drivers/md/raid10.c index 99aabf5734f5d9..fd03c01bcf2571 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -3986,6 +3986,8 @@ static int setup_geo(struct geom *geo, struct mddev *mddev, enum geo_type new) nc = layout & 255; fc = (layout >> 8) & 255; fo = layout & (1<<16); + if (!nc || !fc) + return -1; geo->raid_disks = disks; geo->near_copies = nc; geo->far_copies = fc; -- cgit 1.3-korg
913d556e4bd1md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
1 file changed · +2 −1
drivers/md/raid10.c+2 −1 modifieddiff --git a/drivers/md/raid10.c b/drivers/md/raid10.c index 706037d2a87c45..2815c05d1c9f0b 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -3856,6 +3856,8 @@ static int setup_geo(struct geom *geo, struct mddev *mddev, enum geo_type new) nc = layout & 255; fc = (layout >> 8) & 255; fo = layout & (1<<16); + if (!nc || !fc) + return -1; geo->raid_disks = disks; geo->near_copies = nc; geo->far_copies = fc; -- cgit 1.3-korg
9d8e03b9a2b1md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
1 file changed · +2 −1
drivers/md/raid10.c+2 −1 modifieddiff --git a/drivers/md/raid10.c b/drivers/md/raid10.c index 4b02313854b67c..5cc827cff9181e 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -3872,6 +3872,8 @@ static int setup_geo(struct geom *geo, struct mddev *mddev, enum geo_type new) nc = layout & 255; fc = (layout >> 8) & 255; fo = layout & (1<<16); + if (!nc || !fc) + return -1; geo->raid_disks = disks; geo->near_copies = nc; geo->far_copies = fc; -- cgit 1.3-korg
f9ddb621b232md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
1 file changed · +2 −1
drivers/md/raid10.c+2 −1 modifieddiff --git a/drivers/md/raid10.c b/drivers/md/raid10.c index 12cbeec026c55c..698d169628a02d 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -3791,6 +3791,8 @@ static int setup_geo(struct geom *geo, struct mddev *mddev, enum geo_type new) nc = layout & 255; fc = (layout >> 8) & 255; fo = layout & (1<<16); + if (!nc || !fc) + return -1; geo->raid_disks = disks; geo->near_copies = nc; geo->far_copies = fc; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing input validation in setup_geo() allows zero-valued near_copies or far_copies to be used as a divisor, triggering a divide-by-zero."
Attack vector
An attacker with the ability to set the RAID10 layout parameter (e.g., via mdadm or direct ioctl) can supply a layout value where the far_copies byte (bits 8-15) is zero. When the "improved" far set layout is selected, the function setup_geo() computes 'geo->far_set_size = disks / fc' without first checking that fc is non-zero, causing a division by zero and a kernel crash (denial of service). The same issue applies if near_copies (bits 0-7) is zero, though the immediate divide-by-zero path is triggered by fc=0.
Affected code
The vulnerable function is setup_geo() in drivers/md/raid10.c. The fault lies in the extraction of near_copies (nc) and far_copies (fc) from the user-provided layout parameter without validating they are non-zero before they are used in division operations such as 'geo->far_set_size = disks / fc'.
What the fix does
The patch adds a guard immediately after extracting nc and fc from the layout parameter: 'if (!nc || !fc) return -1;' [patch_id=2898168]. This ensures that if either value is zero, setup_geo() returns an error before any division using fc occurs. The fix is minimal and placed before the values are assigned to the geo structure, preventing the divide-by-zero at the source.
Preconditions
- inputAbility to set the RAID10 layout parameter (e.g., via mdadm or ioctl) with a value where far_copies (bits 8-15) is zero
- configThe 'improved' far set layout must be selected (layout bit 16 set)
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/4af2e558e6fdfb972c61350653fd55d1f62b60a5nvd
- git.kernel.org/stable/c/913d556e4bd1b56ed822815655b82c7bb54edc51nvd
- git.kernel.org/stable/c/9aa6d860b0930e2f72795665c42c44252a558a0cnvd
- git.kernel.org/stable/c/9d8e03b9a2b1e8ce5c198bf3a409a629f4d02cdanvd
- git.kernel.org/stable/c/f9ddb621b2325eb69c95692958daf2bab4dea2c4nvd
News mentions
0No linked articles in our index yet.