CVE-2026-52905
Description
Linux kernel DAMON module allows unaligned region addresses via sysfs interface, potentially leading to instability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel DAMON module allows unaligned region addresses via sysfs interface, potentially leading to instability.
Vulnerability
The Linux kernel's Dynamic Memory Allocation Monitor (DAMON) module has a vulnerability where the damon_start() function can accept non-power of two values for min_region_sz. This was introduced by commit d8f867fa0825 and allowed unaligned DAMON region address ranges. While a later commit (c80f46ac228b) fixed this for damon_commit_ctx(), the sysfs interface via damon_start() remained vulnerable. The affected versions are those between these commits and the final fix. [1]
Exploitation
An attacker with the ability to interact with the DAMON sysfs interface could trigger this vulnerability by providing a non-power of two value for min_region_sz during the damon_start() operation. This interaction likely requires elevated privileges or specific kernel module access, but does not necessarily require network access or user interaction.
Impact
Allowing unaligned DAMON region address ranges can lead to memory corruption or system instability. The exact impact depends on how the kernel handles these unaligned regions, but it could potentially disrupt memory management operations or lead to crashes. The scope of compromise is limited to the kernel's memory management subsystem.
Mitigation
This vulnerability was fixed in the Linux kernel by commit 1de2db19a6028abe7d905875922faef5b873de67. The fixed version is available in the Linux kernel stable tree. No workarounds are disclosed in the available references. [3]
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
695093e5cb4c5mm/damon/core: disallow non-power of two min_region_sz on damon_start()
1 file changed · +5 −1
mm/damon/core.c+5 −1 modifieddiff --git a/mm/damon/core.c b/mm/damon/core.c index 3703f62a876b3..c107d74c77e74 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -1368,6 +1368,11 @@ int damon_start(struct damon_ctx **ctxs, int nr_ctxs, bool exclusive) int i; int err = 0; + for (i = 0; i < nr_ctxs; i++) { + if (!is_power_of_2(ctxs[i]->min_region_sz)) + return -EINVAL; + } + mutex_lock(&damon_lock); if ((exclusive && nr_running_ctxs) || (!exclusive && running_exclusive_ctxs)) { -- cgit 1.3-korg
1de2db19a602mm/damon/core: disallow non-power of two min_region_sz on damon_start()
1 file changed · +5 −1
mm/damon/core.c+5 −1 modifieddiff --git a/mm/damon/core.c b/mm/damon/core.c index 7738095ea4ce3..c46236b73b2d6 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -1352,6 +1352,11 @@ int damon_start(struct damon_ctx **ctxs, int nr_ctxs, bool exclusive) int i; int err = 0; + for (i = 0; i < nr_ctxs; i++) { + if (!is_power_of_2(ctxs[i]->min_sz_region)) + return -EINVAL; + } + mutex_lock(&damon_lock); if ((exclusive && nr_running_ctxs) || (!exclusive && running_exclusive_ctxs)) { -- cgit 1.3-korg
89b6226b6c2amm/damon/core: disallow non-power of two min_region_sz on damon_start()
1 file changed · +5 −1
mm/damon/core.c+5 −1 modifieddiff --git a/mm/damon/core.c b/mm/damon/core.c index f7b1e074e7fdf..3a58c4984f278 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -1368,6 +1368,11 @@ int damon_start(struct damon_ctx **ctxs, int nr_ctxs, bool exclusive) int i; int err = 0; + for (i = 0; i < nr_ctxs; i++) { + if (!is_power_of_2(ctxs[i]->min_region_sz)) + return -EINVAL; + } + mutex_lock(&damon_lock); if ((exclusive && nr_running_ctxs) || (!exclusive && running_exclusive_ctxs)) { -- cgit 1.3-korg
95093e5cb4c5mm/damon/core: disallow non-power of two min_region_sz on damon_start()
1 file changed · +5 −1
mm/damon/core.c+5 −1 modifieddiff --git a/mm/damon/core.c b/mm/damon/core.c index 3703f62a876b3..c107d74c77e74 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -1368,6 +1368,11 @@ int damon_start(struct damon_ctx **ctxs, int nr_ctxs, bool exclusive) int i; int err = 0; + for (i = 0; i < nr_ctxs; i++) { + if (!is_power_of_2(ctxs[i]->min_region_sz)) + return -EINVAL; + } + mutex_lock(&damon_lock); if ((exclusive && nr_running_ctxs) || (!exclusive && running_exclusive_ctxs)) { -- cgit 1.3-korg
1de2db19a602mm/damon/core: disallow non-power of two min_region_sz on damon_start()
1 file changed · +5 −1
mm/damon/core.c+5 −1 modifieddiff --git a/mm/damon/core.c b/mm/damon/core.c index 7738095ea4ce3..c46236b73b2d6 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -1352,6 +1352,11 @@ int damon_start(struct damon_ctx **ctxs, int nr_ctxs, bool exclusive) int i; int err = 0; + for (i = 0; i < nr_ctxs; i++) { + if (!is_power_of_2(ctxs[i]->min_sz_region)) + return -EINVAL; + } + mutex_lock(&damon_lock); if ((exclusive && nr_running_ctxs) || (!exclusive && running_exclusive_ctxs)) { -- cgit 1.3-korg
89b6226b6c2amm/damon/core: disallow non-power of two min_region_sz on damon_start()
1 file changed · +5 −1
mm/damon/core.c+5 −1 modifieddiff --git a/mm/damon/core.c b/mm/damon/core.c index f7b1e074e7fdf..3a58c4984f278 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -1368,6 +1368,11 @@ int damon_start(struct damon_ctx **ctxs, int nr_ctxs, bool exclusive) int i; int err = 0; + for (i = 0; i < nr_ctxs; i++) { + if (!is_power_of_2(ctxs[i]->min_region_sz)) + return -EINVAL; + } + mutex_lock(&damon_lock); if ((exclusive && nr_running_ctxs) || (!exclusive && running_exclusive_ctxs)) { -- cgit 1.3-korg
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3News mentions
1- Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 8-9, 2026Vypr Intelligence · Jun 9, 2026