CVE-2026-46190
Description
In the Linux kernel, the following vulnerability has been resolved:
mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
Sashiko noticed an out-of-bounds read [1].
In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).
Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers (element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.
Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.
Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Out-of-bounds read in Linux kernel's spi-nor debugfs due to sizeof() on pointer array instead of ARRAY_SIZE().
Vulnerability
In the Linux kernel, spi_nor_params_show() in drivers/mtd/spi-nor/debugfs.c used sizeof(snor_f_names) to pass the size of a string array to spi_nor_print_flags(). Since snor_f_names is an array of pointers, sizeof() returns the byte size (element count multiplied by pointer size, e.g., 8 on 64-bit) rather than the element count. This causes names_len to be dramatically inflated, leading to an out-of-bounds read when a flag bit is set beyond the actual array length but within the inflated bound. Affected versions are those prior to the stable commit [1].
Exploitation
An attacker requires no special privileges; the bug is triggered by reading the debugfs file that calls spi_nor_params_show(). Since debugfs is typically accessible to root, but can be exposed via a chroot or container with debugfs mounted, the attacker only needs the ability to open and read that file. The out-of-bounds read occurs when the SPI NOR flash parameters contain a flag whose bit index exceeds the number of named strings in the array.
Impact
The out-of-bounds read can leak kernel memory contents to userspace via the debugfs file output. The read is bounded by the inflated names_len, which on 64-bit systems is 8 times the correct value, allowing adjacent heap data to be disclosed. This could potentially expose sensitive information like kernel pointers or other data. There is no information about code execution or privilege escalation.
Mitigation
The fix has been merged into the Linux kernel stable tree (commit [1]). Users should apply kernel updates that include the commit. No workaround is available; disabling debugfs with echo 0 > /proc/sys/kernel/debug_disabled can block access but is not a complete mitigation. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
10c0b654bc0b76mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
2 files changed · +6 −4
drivers/mtd/spi-nor/debugfs.c+3 −2 modifieddiff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c index fa6956144d2e44..14ba1680c31547 100644 --- a/drivers/mtd/spi-nor/debugfs.c +++ b/drivers/mtd/spi-nor/debugfs.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/array_size.h> #include <linux/debugfs.h> #include <linux/mtd/spi-nor.h> #include <linux/spi/spi.h> @@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file *s, void *data) seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes); seq_puts(s, "flags\t\t"); - spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names)); + spi_nor_print_flags(s, nor->flags, snor_f_names, + ARRAY_SIZE(snor_f_names)); seq_puts(s, "\n"); seq_puts(s, "\nopcodes\n"); -- cgit 1.3-korg
drivers/mtd/spi-nor/debugfs.c+3 −2 modifieddiff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c index fa6956144d2e44..14ba1680c31547 100644 --- a/drivers/mtd/spi-nor/debugfs.c +++ b/drivers/mtd/spi-nor/debugfs.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/array_size.h> #include <linux/debugfs.h> #include <linux/mtd/spi-nor.h> #include <linux/spi/spi.h> @@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file *s, void *data) seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes); seq_puts(s, "flags\t\t"); - spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names)); + spi_nor_print_flags(s, nor->flags, snor_f_names, + ARRAY_SIZE(snor_f_names)); seq_puts(s, "\n"); seq_puts(s, "\nopcodes\n"); -- cgit 1.3-korg
9a80c458320emtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
2 files changed · +6 −4
drivers/mtd/spi-nor/debugfs.c+3 −2 modifieddiff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c index 6e163cb5b478c8..2f6098e47119b0 100644 --- a/drivers/mtd/spi-nor/debugfs.c +++ b/drivers/mtd/spi-nor/debugfs.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/array_size.h> #include <linux/debugfs.h> #include <linux/mtd/spi-nor.h> #include <linux/spi/spi.h> @@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file *s, void *data) seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes); seq_puts(s, "flags\t\t"); - spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names)); + spi_nor_print_flags(s, nor->flags, snor_f_names, + ARRAY_SIZE(snor_f_names)); seq_puts(s, "\n"); seq_puts(s, "\nopcodes\n"); -- cgit 1.3-korg
drivers/mtd/spi-nor/debugfs.c+3 −2 modifieddiff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c index 6e163cb5b478c8..2f6098e47119b0 100644 --- a/drivers/mtd/spi-nor/debugfs.c +++ b/drivers/mtd/spi-nor/debugfs.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/array_size.h> #include <linux/debugfs.h> #include <linux/mtd/spi-nor.h> #include <linux/spi/spi.h> @@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file *s, void *data) seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes); seq_puts(s, "flags\t\t"); - spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names)); + spi_nor_print_flags(s, nor->flags, snor_f_names, + ARRAY_SIZE(snor_f_names)); seq_puts(s, "\n"); seq_puts(s, "\nopcodes\n"); -- cgit 1.3-korg
ca18c180b053mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
2 files changed · +6 −4
drivers/mtd/spi-nor/debugfs.c+3 −2 modifieddiff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c index fa6956144d2e44..14ba1680c31547 100644 --- a/drivers/mtd/spi-nor/debugfs.c +++ b/drivers/mtd/spi-nor/debugfs.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/array_size.h> #include <linux/debugfs.h> #include <linux/mtd/spi-nor.h> #include <linux/spi/spi.h> @@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file *s, void *data) seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes); seq_puts(s, "flags\t\t"); - spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names)); + spi_nor_print_flags(s, nor->flags, snor_f_names, + ARRAY_SIZE(snor_f_names)); seq_puts(s, "\n"); seq_puts(s, "\nopcodes\n"); -- cgit 1.3-korg
drivers/mtd/spi-nor/debugfs.c+3 −2 modifieddiff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c index fa6956144d2e44..14ba1680c31547 100644 --- a/drivers/mtd/spi-nor/debugfs.c +++ b/drivers/mtd/spi-nor/debugfs.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/array_size.h> #include <linux/debugfs.h> #include <linux/mtd/spi-nor.h> #include <linux/spi/spi.h> @@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file *s, void *data) seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes); seq_puts(s, "flags\t\t"); - spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names)); + spi_nor_print_flags(s, nor->flags, snor_f_names, + ARRAY_SIZE(snor_f_names)); seq_puts(s, "\n"); seq_puts(s, "\nopcodes\n"); -- cgit 1.3-korg
34bdcfb496b2mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
2 files changed · +6 −4
drivers/mtd/spi-nor/debugfs.c+3 −2 modifieddiff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c index fa6956144d2e44..14ba1680c31547 100644 --- a/drivers/mtd/spi-nor/debugfs.c +++ b/drivers/mtd/spi-nor/debugfs.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/array_size.h> #include <linux/debugfs.h> #include <linux/mtd/spi-nor.h> #include <linux/spi/spi.h> @@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file *s, void *data) seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes); seq_puts(s, "flags\t\t"); - spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names)); + spi_nor_print_flags(s, nor->flags, snor_f_names, + ARRAY_SIZE(snor_f_names)); seq_puts(s, "\n"); seq_puts(s, "\nopcodes\n"); -- cgit 1.3-korg
drivers/mtd/spi-nor/debugfs.c+3 −2 modifieddiff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c index fa6956144d2e44..14ba1680c31547 100644 --- a/drivers/mtd/spi-nor/debugfs.c +++ b/drivers/mtd/spi-nor/debugfs.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/array_size.h> #include <linux/debugfs.h> #include <linux/mtd/spi-nor.h> #include <linux/spi/spi.h> @@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file *s, void *data) seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes); seq_puts(s, "flags\t\t"); - spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names)); + spi_nor_print_flags(s, nor->flags, snor_f_names, + ARRAY_SIZE(snor_f_names)); seq_puts(s, "\n"); seq_puts(s, "\nopcodes\n"); -- cgit 1.3-korg
e47029b977e7mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
2 files changed · +6 −4
drivers/mtd/spi-nor/debugfs.c+3 −2 modifieddiff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c index fa6956144d2e44..14ba1680c31547 100644 --- a/drivers/mtd/spi-nor/debugfs.c +++ b/drivers/mtd/spi-nor/debugfs.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/array_size.h> #include <linux/debugfs.h> #include <linux/mtd/spi-nor.h> #include <linux/spi/spi.h> @@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file *s, void *data) seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes); seq_puts(s, "flags\t\t"); - spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names)); + spi_nor_print_flags(s, nor->flags, snor_f_names, + ARRAY_SIZE(snor_f_names)); seq_puts(s, "\n"); seq_puts(s, "\nopcodes\n"); -- cgit 1.3-korg
drivers/mtd/spi-nor/debugfs.c+3 −2 modifieddiff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c index fa6956144d2e44..14ba1680c31547 100644 --- a/drivers/mtd/spi-nor/debugfs.c +++ b/drivers/mtd/spi-nor/debugfs.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/array_size.h> #include <linux/debugfs.h> #include <linux/mtd/spi-nor.h> #include <linux/spi/spi.h> @@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file *s, void *data) seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes); seq_puts(s, "flags\t\t"); - spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names)); + spi_nor_print_flags(s, nor->flags, snor_f_names, + ARRAY_SIZE(snor_f_names)); seq_puts(s, "\n"); seq_puts(s, "\nopcodes\n"); -- cgit 1.3-korg
e47029b977e7mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
1 file changed · +3 −2
drivers/mtd/spi-nor/debugfs.c+3 −2 modifieddiff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c index fa6956144d2e44..14ba1680c31547 100644 --- a/drivers/mtd/spi-nor/debugfs.c +++ b/drivers/mtd/spi-nor/debugfs.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/array_size.h> #include <linux/debugfs.h> #include <linux/mtd/spi-nor.h> #include <linux/spi/spi.h> @@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file *s, void *data) seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes); seq_puts(s, "flags\t\t"); - spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names)); + spi_nor_print_flags(s, nor->flags, snor_f_names, + ARRAY_SIZE(snor_f_names)); seq_puts(s, "\n"); seq_puts(s, "\nopcodes\n"); -- cgit 1.3-korg
ca18c180b053mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
1 file changed · +3 −2
drivers/mtd/spi-nor/debugfs.c+3 −2 modifieddiff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c index fa6956144d2e44..14ba1680c31547 100644 --- a/drivers/mtd/spi-nor/debugfs.c +++ b/drivers/mtd/spi-nor/debugfs.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/array_size.h> #include <linux/debugfs.h> #include <linux/mtd/spi-nor.h> #include <linux/spi/spi.h> @@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file *s, void *data) seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes); seq_puts(s, "flags\t\t"); - spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names)); + spi_nor_print_flags(s, nor->flags, snor_f_names, + ARRAY_SIZE(snor_f_names)); seq_puts(s, "\n"); seq_puts(s, "\nopcodes\n"); -- cgit 1.3-korg
34bdcfb496b2mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
1 file changed · +3 −2
drivers/mtd/spi-nor/debugfs.c+3 −2 modifieddiff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c index fa6956144d2e44..14ba1680c31547 100644 --- a/drivers/mtd/spi-nor/debugfs.c +++ b/drivers/mtd/spi-nor/debugfs.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/array_size.h> #include <linux/debugfs.h> #include <linux/mtd/spi-nor.h> #include <linux/spi/spi.h> @@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file *s, void *data) seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes); seq_puts(s, "flags\t\t"); - spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names)); + spi_nor_print_flags(s, nor->flags, snor_f_names, + ARRAY_SIZE(snor_f_names)); seq_puts(s, "\n"); seq_puts(s, "\nopcodes\n"); -- cgit 1.3-korg
9a80c458320emtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
1 file changed · +3 −2
drivers/mtd/spi-nor/debugfs.c+3 −2 modifieddiff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c index 6e163cb5b478c8..2f6098e47119b0 100644 --- a/drivers/mtd/spi-nor/debugfs.c +++ b/drivers/mtd/spi-nor/debugfs.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/array_size.h> #include <linux/debugfs.h> #include <linux/mtd/spi-nor.h> #include <linux/spi/spi.h> @@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file *s, void *data) seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes); seq_puts(s, "flags\t\t"); - spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names)); + spi_nor_print_flags(s, nor->flags, snor_f_names, + ARRAY_SIZE(snor_f_names)); seq_puts(s, "\n"); seq_puts(s, "\nopcodes\n"); -- cgit 1.3-korg
c0b654bc0b76mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
1 file changed · +3 −2
drivers/mtd/spi-nor/debugfs.c+3 −2 modifieddiff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c index fa6956144d2e44..14ba1680c31547 100644 --- a/drivers/mtd/spi-nor/debugfs.c +++ b/drivers/mtd/spi-nor/debugfs.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 +#include <linux/array_size.h> #include <linux/debugfs.h> #include <linux/mtd/spi-nor.h> #include <linux/spi/spi.h> @@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file *s, void *data) seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes); seq_puts(s, "flags\t\t"); - spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names)); + spi_nor_print_flags(s, nor->flags, snor_f_names, + ARRAY_SIZE(snor_f_names)); seq_puts(s, "\n"); seq_puts(s, "\nopcodes\n"); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Incorrect use of sizeof() on an array of pointers in spi_nor_params_show() passes a byte count instead of element count to spi_nor_print_flags(), causing an out-of-bounds read when a flag bit beyond the array's actual element count is set."
Attack vector
The vulnerability is in the debugfs interface of the SPI-NOR driver. When a user reads the debugfs file that triggers spi_nor_params_show(), the function calls spi_nor_print_flags() with sizeof(snor_f_names) as the names_len argument. Since snor_f_names is an array of pointers, sizeof() returns the total byte size (element_count * sizeof(void*)), which on 64-bit systems is 8x larger than the actual element count. If a flag bit is set in nor->flags that corresponds to an index between the true element count and the inflated byte-size count, spi_nor_print_flags() reads past the end of the snor_f_names array [patch_id=2897911]. No special privileges beyond local debugfs access are required.
Affected code
The vulnerable function is spi_nor_params_show() in drivers/mtd/spi-nor/debugfs.c. The bug is on the line that calls spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names)) — sizeof(snor_f_names) is used instead of ARRAY_SIZE(snor_f_names) [patch_id=2897911].
What the fix does
The patch replaces sizeof(snor_f_names) with ARRAY_SIZE(snor_f_names) in the call to spi_nor_print_flags() inside spi_nor_params_show() [patch_id=2897911]. ARRAY_SIZE() correctly computes the number of elements in the array, not the total byte size. The patch also adds the missing #include <linux/array_size.h> to ensure the macro is available. This ensures that the names_len parameter passed to spi_nor_print_flags() accurately reflects the array's element count, preventing the out-of-bounds read when bounds-checking flag bit indices.
Preconditions
- authThe attacker must have access to the debugfs filesystem (typically root or local access on the system).
- configA SPI-NOR flash device must be present and have its debugfs interface enabled.
- inputThe nor->flags bitmask must have a bit set that corresponds to an index between the true element count of snor_f_names and the inflated sizeof() value.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/34bdcfb496b29f9a52431194f94473b37fb8c162nvd
- git.kernel.org/stable/c/9a80c458320e0514e11945402dd6e48fcee05524nvd
- git.kernel.org/stable/c/c0b654bc0b76a1da102d9138be1ed1223bd99310nvd
- git.kernel.org/stable/c/ca18c180b053f6ce80394322b314ac721c316af7nvd
- git.kernel.org/stable/c/e47029b977e747cb3a9174308fd55762cce70147nvd
News mentions
0No linked articles in our index yet.