CVE-2026-46006
Analyzed Analyzed - Analysis Complete
Integer Overflow in Nouveau DRM Pushbuf Reloc Bounds Check

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix u32 overflow in pushbuf reloc bounds check nouveau_gem_pushbuf_reloc_apply() validates each relocation with if (r->reloc_bo_offset + 4 > nvbo->bo.base.size) but reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer literal 4 promotes to unsigned int, so the addition is performed in 32 bits and wraps before the comparison against the size_t bo size. Cast to u64 so the addition happens in 64-bit arithmetic. [ Add Fixes: tag. - Danilo ]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46006
EUVD
EUVD-2026-32303
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.7 (inc) to 6.12.86 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.140 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.27 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
linux linux_kernel From 2.6.34 (inc) to 5.15.209 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's nouveau driver, specifically in the function nouveau_gem_pushbuf_reloc_apply(). The issue is due to an integer overflow when validating relocation offsets.

The code checks if the sum of reloc_bo_offset (a 32-bit unsigned integer) and 4 is greater than the buffer object's size. However, because reloc_bo_offset is 32-bit and the addition is done in 32-bit arithmetic, the sum can wrap around (overflow) before the comparison, potentially bypassing the bounds check.

The fix involves casting the operands to 64-bit integers to ensure the addition is done in 64-bit arithmetic, preventing the overflow and ensuring the bounds check is accurate.

Impact Analysis

This vulnerability can lead to incorrect validation of memory relocation offsets in the nouveau driver, potentially allowing out-of-bounds memory access.

Such out-of-bounds access could cause system instability, crashes, or potentially be exploited to execute arbitrary code or escalate privileges, depending on the context in which the driver is used.

Mitigation Strategies

The vulnerability in the Linux kernel's nouveau driver involves an integer overflow in the pushbuf relocation bounds check. To mitigate this vulnerability, you should update your Linux kernel to a version where this issue is fixed, as the fix involves casting the addition to 64-bit arithmetic to prevent overflow.

Applying the patch or upgrading to a kernel version that includes the fix for drm/nouveau pushbuf reloc bounds check integer overflow is the immediate step to secure your system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46006. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart