CVE-2026-23474
Received Received - Intake
Buffer Overflow in Linux Kernel MTD RedBoot Partition Parser

Publication date: 2026-04-03

Last updated on: 2026-04-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mtd: Avoid boot crash in RedBoot partition table parser Given CONFIG_FORTIFY_SOURCE=y and a recent compiler, commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when available") produces the warning below and an oops. Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000 ------------[ cut here ]------------ WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1 memcmp: detected buffer overflow: 15 byte read of buffer size 14 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE As Kees said, "'names' is pointing to the final 'namelen' many bytes of the allocation ... 'namelen' could be basically any length at all. This fortify warning looks legit to me -- this code used to be reading beyond the end of the allocation." Since the size of the dynamic allocation is calculated with strlen() we can use strcmp() instead of memcmp() and remain within bounds.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-18
Generated
2026-05-06
AI Q&A
2026-04-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23474
EUVD
EUVD-2026-18749
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 6.19.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's handling of the RedBoot partition table parser. When CONFIG_FORTIFY_SOURCE is enabled and using a recent compiler, a buffer overflow warning occurs due to the use of memcmp() reading beyond the allocated buffer size. The issue arises because the code calculates the size of a dynamic allocation using strlen(), but then uses memcmp() which can read more bytes than allocated, potentially causing a crash (oops). The fix involves replacing memcmp() with strcmp() to ensure the comparison stays within the allocated buffer bounds.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash (a boot crash) when parsing the RedBoot partition table. This happens because of a buffer overflow detected by the fortify source mechanism, which leads to an 'oops' or kernel panic. Such a crash can result in system instability or denial of service during boot.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by avoiding a boot crash in the RedBoot partition table parser.

To mitigate this vulnerability, update your Linux kernel to a version that includes the fix for this issue.

The fix involves replacing memcmp() with strcmp() in the affected code to prevent reading beyond the end of the allocation.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a kernel warning and an oops related to a buffer overflow detected in the RedBoot partition table parser when CONFIG_FORTIFY_SOURCE=y and a recent compiler is used.

To detect this vulnerability on your system, you can check the kernel logs for the specific warning message indicating a buffer overflow in memcmp within the RedBoot partition table parser.

  • Use the command: dmesg | grep -i 'memcmp: detected buffer overflow'
  • Alternatively, check system logs with: journalctl -k | grep -i 'memcmp: detected buffer overflow'

These commands help identify if the kernel has logged the specific buffer overflow warning related to this vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart