CVE-2026-46294
Description
Linux kernel buffer overflow in dm-ioctl's retrieve_status function is mitigated by library usage and root-only access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel buffer overflow in dm-ioctl's retrieve_status function is mitigated by library usage and root-only access.
Vulnerability
A buffer overflow exists in the dm-ioctl subsystem of the Linux kernel, specifically within the retrieve_status function. The vulnerability arises when the outptr variable, used for writing status information, is aligned to an 8-byte boundary without an overflow check. This can cause outptr to point beyond the allocated buffer, leading to an integer wrap-around when calculating remaining space and subsequently writing data past the buffer's end. This affects versions of the Linux kernel where this specific code path is present.
Exploitation
Exploitation of this vulnerability requires root privileges to issue device mapper ioctls. Additionally, the commonly used libdevmapper and devicemapper-rs libraries, which typically align their buffers to 8 bytes, must not be used. If these libraries are bypassed or not used, an attacker with root access could potentially trigger the overflow by carefully crafting ioctl calls that lead to the outptr misalignment and subsequent buffer write.
Impact
Despite the presence of a buffer overflow, this vulnerability is stated to have no security implications. This is because the vulnerability is only reachable by the root user, and the standard libraries used to interact with the device mapper (libdevmapper and devicemapper-rs) prevent the conditions necessary for the overflow to occur by ensuring buffer alignment that avoids the overshoot.
Mitigation
This vulnerability has been resolved in the Linux kernel. The specific commit addressing this issue is available at [1] and [2]. As the issue is fixed in the kernel, updating to a patched version of the Linux kernel is the recommended mitigation. No workarounds are necessary as the bug is fixed and its exploitability is limited by library usage and privilege requirements.
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
162fa49cc884f6dm: fix a buffer overflow in ioctl processing
1 file changed · +4 −1
drivers/md/dm-ioctl.c+4 −1 modifieddiff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 405acc14d7183..a529174c94cf3 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1356,6 +1356,10 @@ static void retrieve_status(struct dm_table *table, used = param->data_start + (outptr - outbuf); outptr = align_ptr(outptr); + if (!outptr || outptr > outbuf + len) { + param->flags |= DM_BUFFER_FULL_FLAG; + break; + } spec->next = outptr - outbuf; } -- cgit 1.3-korg
c8c531123744dm: fix a buffer overflow in ioctl processing
1 file changed · +4 −1
drivers/md/dm-ioctl.c+4 −1 modifieddiff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 0848b6852163d..cc607c77d57fb 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1214,6 +1214,10 @@ static void retrieve_status(struct dm_table *table, used = param->data_start + (outptr - outbuf); outptr = align_ptr(outptr); + if (!outptr || outptr > outbuf + len) { + param->flags |= DM_BUFFER_FULL_FLAG; + break; + } spec->next = outptr - outbuf; } -- cgit 1.3-korg
448ee8fb79c2dm: fix a buffer overflow in ioctl processing
1 file changed · +4 −1
drivers/md/dm-ioctl.c+4 −1 modifieddiff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 108e88fb4c81a..16b6313588086 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1311,6 +1311,10 @@ static void retrieve_status(struct dm_table *table, used = param->data_start + (outptr - outbuf); outptr = align_ptr(outptr); + if (!outptr || outptr > outbuf + len) { + param->flags |= DM_BUFFER_FULL_FLAG; + break; + } spec->next = outptr - outbuf; } -- cgit 1.3-korg
526ff9126a0adm: fix a buffer overflow in ioctl processing
1 file changed · +4 −1
drivers/md/dm-ioctl.c+4 −1 modifieddiff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index ce533a98f0020..d34e745672ba3 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1316,6 +1316,10 @@ static void retrieve_status(struct dm_table *table, used = param->data_start + (outptr - outbuf); outptr = align_ptr(outptr); + if (!outptr || outptr > outbuf + len) { + param->flags |= DM_BUFFER_FULL_FLAG; + break; + } spec->next = outptr - outbuf; } -- cgit 1.3-korg
f0b0b09d9840dm: fix a buffer overflow in ioctl processing
1 file changed · +4 −1
drivers/md/dm-ioctl.c+4 −1 modifieddiff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 9960889132259..a9cde9fe8fa39 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1341,6 +1341,10 @@ static void retrieve_status(struct dm_table *table, used = param->data_start + (outptr - outbuf); outptr = align_ptr(outptr); + if (!outptr || outptr > outbuf + len) { + param->flags |= DM_BUFFER_FULL_FLAG; + break; + } spec->next = outptr - outbuf; } -- cgit 1.3-korg
d271631023cbdm: fix a buffer overflow in ioctl processing
1 file changed · +4 −1
drivers/md/dm-ioctl.c+4 −1 modifieddiff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 2ac79bd567805..ef0fe96e527bd 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1341,6 +1341,10 @@ static void retrieve_status(struct dm_table *table, used = param->data_start + (outptr - outbuf); outptr = align_ptr(outptr); + if (!outptr || outptr > outbuf + len) { + param->flags |= DM_BUFFER_FULL_FLAG; + break; + } spec->next = outptr - outbuf; } -- cgit 1.3-korg
5af6a879e915dm: fix a buffer overflow in ioctl processing
1 file changed · +4 −1
drivers/md/dm-ioctl.c+4 −1 modifieddiff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index dd3fc95537cb5..de90feb842ab6 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1341,6 +1341,10 @@ static void retrieve_status(struct dm_table *table, used = param->data_start + (outptr - outbuf); outptr = align_ptr(outptr); + if (!outptr || outptr > outbuf + len) { + param->flags |= DM_BUFFER_FULL_FLAG; + break; + } spec->next = outptr - outbuf; } -- cgit 1.3-korg
8daa6c708ef5dm: fix a buffer overflow in ioctl processing
1 file changed · +4 −1
drivers/md/dm-ioctl.c+4 −1 modifieddiff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 4de734d82444f..e0c574862d061 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1341,6 +1341,10 @@ static void retrieve_status(struct dm_table *table, used = param->data_start + (outptr - outbuf); outptr = align_ptr(outptr); + if (!outptr || outptr > outbuf + len) { + param->flags |= DM_BUFFER_FULL_FLAG; + break; + } spec->next = outptr - outbuf; } -- cgit 1.3-korg
5af6a879e915dm: fix a buffer overflow in ioctl processing
1 file changed · +4 −1
drivers/md/dm-ioctl.c+4 −1 modifieddiff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index dd3fc95537cb5..de90feb842ab6 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1341,6 +1341,10 @@ static void retrieve_status(struct dm_table *table, used = param->data_start + (outptr - outbuf); outptr = align_ptr(outptr); + if (!outptr || outptr > outbuf + len) { + param->flags |= DM_BUFFER_FULL_FLAG; + break; + } spec->next = outptr - outbuf; } -- cgit 1.3-korg
2fa49cc884f6dm: fix a buffer overflow in ioctl processing
1 file changed · +4 −1
drivers/md/dm-ioctl.c+4 −1 modifieddiff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 405acc14d7183..a529174c94cf3 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1356,6 +1356,10 @@ static void retrieve_status(struct dm_table *table, used = param->data_start + (outptr - outbuf); outptr = align_ptr(outptr); + if (!outptr || outptr > outbuf + len) { + param->flags |= DM_BUFFER_FULL_FLAG; + break; + } spec->next = outptr - outbuf; } -- cgit 1.3-korg
448ee8fb79c2dm: fix a buffer overflow in ioctl processing
1 file changed · +4 −1
drivers/md/dm-ioctl.c+4 −1 modifieddiff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 108e88fb4c81a..16b6313588086 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1311,6 +1311,10 @@ static void retrieve_status(struct dm_table *table, used = param->data_start + (outptr - outbuf); outptr = align_ptr(outptr); + if (!outptr || outptr > outbuf + len) { + param->flags |= DM_BUFFER_FULL_FLAG; + break; + } spec->next = outptr - outbuf; } -- cgit 1.3-korg
526ff9126a0adm: fix a buffer overflow in ioctl processing
1 file changed · +4 −1
drivers/md/dm-ioctl.c+4 −1 modifieddiff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index ce533a98f0020..d34e745672ba3 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1316,6 +1316,10 @@ static void retrieve_status(struct dm_table *table, used = param->data_start + (outptr - outbuf); outptr = align_ptr(outptr); + if (!outptr || outptr > outbuf + len) { + param->flags |= DM_BUFFER_FULL_FLAG; + break; + } spec->next = outptr - outbuf; } -- cgit 1.3-korg
8daa6c708ef5dm: fix a buffer overflow in ioctl processing
1 file changed · +4 −1
drivers/md/dm-ioctl.c+4 −1 modifieddiff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 4de734d82444f..e0c574862d061 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1341,6 +1341,10 @@ static void retrieve_status(struct dm_table *table, used = param->data_start + (outptr - outbuf); outptr = align_ptr(outptr); + if (!outptr || outptr > outbuf + len) { + param->flags |= DM_BUFFER_FULL_FLAG; + break; + } spec->next = outptr - outbuf; } -- cgit 1.3-korg
c8c531123744dm: fix a buffer overflow in ioctl processing
1 file changed · +4 −1
drivers/md/dm-ioctl.c+4 −1 modifieddiff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 0848b6852163d..cc607c77d57fb 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1214,6 +1214,10 @@ static void retrieve_status(struct dm_table *table, used = param->data_start + (outptr - outbuf); outptr = align_ptr(outptr); + if (!outptr || outptr > outbuf + len) { + param->flags |= DM_BUFFER_FULL_FLAG; + break; + } spec->next = outptr - outbuf; } -- cgit 1.3-korg
d271631023cbdm: fix a buffer overflow in ioctl processing
1 file changed · +4 −1
drivers/md/dm-ioctl.c+4 −1 modifieddiff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 2ac79bd567805..ef0fe96e527bd 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1341,6 +1341,10 @@ static void retrieve_status(struct dm_table *table, used = param->data_start + (outptr - outbuf); outptr = align_ptr(outptr); + if (!outptr || outptr > outbuf + len) { + param->flags |= DM_BUFFER_FULL_FLAG; + break; + } spec->next = outptr - outbuf; } -- cgit 1.3-korg
f0b0b09d9840dm: fix a buffer overflow in ioctl processing
1 file changed · +4 −1
drivers/md/dm-ioctl.c+4 −1 modifieddiff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 9960889132259..a9cde9fe8fa39 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1341,6 +1341,10 @@ static void retrieve_status(struct dm_table *table, used = param->data_start + (outptr - outbuf); outptr = align_ptr(outptr); + if (!outptr || outptr > outbuf + len) { + param->flags |= DM_BUFFER_FULL_FLAG; + break; + } spec->next = outptr - outbuf; } -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"The alignment of a pointer variable in ioctl processing does not check for overflow, leading to a buffer overflow."
Attack vector
An attacker with root privileges must issue a device mapper ioctl command to the `dm-ioctl` module. The command must be crafted such that the `retrieve_status` function is called with specific parameters. This allows the `outptr` variable to be aligned past the end of the output buffer, triggering the overflow when subsequent data is written. [patch_id=5239563]
Affected code
The vulnerability exists in the `retrieve_status` function within the `drivers/md/dm-ioctl.c` file. Specifically, the issue arises after the `outptr` variable is aligned to an 8-byte boundary without proper overflow checking. [patch_id=5239563]
What the fix does
The patch adds a check after aligning the `outptr` variable. If the aligned pointer is null or points beyond the allocated buffer (`outbuf + len`), the `DM_BUFFER_FULL_FLAG` is set, and the loop breaks. This prevents the code from writing past the buffer end, thus mitigating the buffer overflow vulnerability. [patch_id=5239563]
Preconditions
- authThe attacker must have root privileges.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/2fa49cc884f6496a915c35621ba4da35649bf159nvd
- git.kernel.org/stable/c/448ee8fb79c26a26599ffa4b2adeb4322d3d3d8cnvd
- git.kernel.org/stable/c/526ff9126a0ae087b65726e1faf31114c718020dnvd
- git.kernel.org/stable/c/5af6a879e915ae7bcd83695c316ebb32e1c61bc2nvd
- git.kernel.org/stable/c/8daa6c708ef524089ae43f2aed9190acb26d7df8nvd
- git.kernel.org/stable/c/c8c5311237448f6ffeecc9aec2362e3692623668nvd
- git.kernel.org/stable/c/d271631023cbe1cbe7c31a0275ab797883be6e0anvd
- git.kernel.org/stable/c/f0b0b09d9840838ae77ccdd6a62de0daef4e6e0anvd
News mentions
1- Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 8, 2026Vypr Intelligence · Jun 8, 2026