CVE-2026-46281
Description
Linux kernel vmalloc buffer overflow allows out-of-bounds write during allocation shrinking, potentially leading to system instability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel vmalloc buffer overflow allows out-of-bounds write during allocation shrinking, potentially leading to system instability.
Vulnerability
The Linux kernel's vmalloc subsystem contains a buffer overflow vulnerability in the vrealloc_node_align() function. This issue arises when shrinking an allocated object, where the code attempts to copy old_size bytes into a new buffer allocated for size bytes. If size is less than old_size, this results in an out-of-bounds write on the new buffer. This vulnerability affects versions of the kernel where commit 4c5d3365882d was introduced and has since been resolved.
Exploitation
An attacker would need to trigger a specific code path within the kernel's memory management that involves shrinking an allocation using vrealloc_node_align(). This typically requires elevated privileges or the ability to influence kernel memory operations, such as through a local exploit or a driver vulnerability. The exploit involves requesting a shrink operation where the new size is smaller than the old size, leading to the out-of-bounds write.
Impact
The out-of-bounds write caused by this vulnerability can lead to memory corruption within the kernel. This can result in system instability, crashes (kernel panics), or potentially allow an attacker to overwrite critical kernel data, leading to arbitrary code execution with kernel privileges.
Mitigation
This vulnerability has been fixed in the Linux kernel. The fix involves bounding the copy length by the new allocation size to prevent the out-of-bounds write. Users should update to a patched version of the Linux kernel. The specific fixed version and release date are not detailed in the provided references, and the reference [1] is a placeholder for bot detection and does not contain technical details about the fix or mitigation.
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
6b281adf71f78vmalloc: fix buffer overflow in vrealloc_node_align()
1 file changed · +1 −2
mm/vmalloc.c+1 −2 modifieddiff --git a/mm/vmalloc.c b/mm/vmalloc.c index 676851d5cfe77..2c2f74a07f396 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -4361,7 +4361,7 @@ need_realloc: return NULL; if (p) { - memcpy(n, p, old_size); + memcpy(n, p, min(size, old_size)); vfree(p); } -- cgit 1.3-korg
e9b057a44defvmalloc: fix buffer overflow in vrealloc_node_align()
1 file changed · +1 −2
mm/vmalloc.c+1 −2 modifieddiff --git a/mm/vmalloc.c b/mm/vmalloc.c index c5368e171411d..021fc25268866 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -4201,7 +4201,7 @@ need_realloc: return NULL; if (p) { - memcpy(n, p, old_size); + memcpy(n, p, min(size, old_size)); vfree(p); } -- cgit 1.3-korg
82d1f01292d3vmalloc: fix buffer overflow in vrealloc_node_align()
1 file changed · +1 −2
mm/vmalloc.c+1 −2 modifieddiff --git a/mm/vmalloc.c b/mm/vmalloc.c index aa08651ec0df6..c31a8615a8328 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -4361,7 +4361,7 @@ need_realloc: return NULL; if (p) { - memcpy(n, p, old_size); + memcpy(n, p, min(size, old_size)); vfree(p); } -- cgit 1.3-korg
82d1f01292d3vmalloc: fix buffer overflow in vrealloc_node_align()
1 file changed · +1 −2
mm/vmalloc.c+1 −2 modifieddiff --git a/mm/vmalloc.c b/mm/vmalloc.c index aa08651ec0df6..c31a8615a8328 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -4361,7 +4361,7 @@ need_realloc: return NULL; if (p) { - memcpy(n, p, old_size); + memcpy(n, p, min(size, old_size)); vfree(p); } -- cgit 1.3-korg
b281adf71f78vmalloc: fix buffer overflow in vrealloc_node_align()
1 file changed · +1 −2
mm/vmalloc.c+1 −2 modifieddiff --git a/mm/vmalloc.c b/mm/vmalloc.c index 676851d5cfe77..2c2f74a07f396 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -4361,7 +4361,7 @@ need_realloc: return NULL; if (p) { - memcpy(n, p, old_size); + memcpy(n, p, min(size, old_size)); vfree(p); } -- cgit 1.3-korg
e9b057a44defvmalloc: fix buffer overflow in vrealloc_node_align()
1 file changed · +1 −2
mm/vmalloc.c+1 −2 modifieddiff --git a/mm/vmalloc.c b/mm/vmalloc.c index c5368e171411d..021fc25268866 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -4201,7 +4201,7 @@ need_realloc: return NULL; if (p) { - memcpy(n, p, old_size); + memcpy(n, p, min(size, old_size)); vfree(p); } -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"The vrealloc_node_align function incorrectly copies data when shrinking an allocation, leading to an out-of-bounds write."
Attack vector
An attacker can trigger this vulnerability by calling the vrealloc_node_align function with parameters that cause the allocation to be shrunk (size < old_size) while also forcing a reallocation due to NUMA node or alignment constraints [patch_id=5239459]. This specific path within the vmalloc subsystem leads to an out-of-bounds write on the newly allocated buffer.
Affected code
The vulnerability exists in the `vrealloc_node_align` function within the `mm/vmalloc.c` file. Specifically, the `memcpy` operation on the `need_realloc` path is affected.
What the fix does
The patch modifies the memcpy call within the vrealloc_node_align function to use min(size, old_size) as the copy length [patch_id=5239459]. This ensures that the number of bytes copied from the old buffer to the new buffer does not exceed the size of the new buffer, thus preventing the out-of-bounds write when shrinking an allocation.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.