CVE-2026-46020
Analyzed Analyzed - Analysis Complete
Memory Corruption in Linux Kernel DAMON Core

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: validate damos_quota_goal->nid for node_mem_{used,free}_bp Patch series "mm/damon/core: validate damos_quota_goal->nid". node_mem[cg]_{used,free}_bp DAMOS quota goals receive the node id. The node id is used for si_meminfo_node() and NODE_DATA() without proper validation. As a result, privileged users can trigger an out of bounds memory access using DAMON_SYSFS. Fix the issues. The issue was originally reported [1] with a fix by another author. The original author announced [2] that they will stop working including the fix that was still in the review stage. Hence I'm restarting this. This patch (of 2): Users can set damos_quota_goal->nid with arbitrary value for node_mem_{used,free}_bp. But DAMON core is using those for si_meminfo_node() without the validation of the value. This can result in out of bounds memory access. The issue can actually triggered using DAMON user-space tool (damo), like below. $ sudo ./damo start --damos_action stat \ --damos_quota_goal node_mem_used_bp 50% -1 \ --damos_quota_interval 1s $ sudo dmesg [...] [ 65.565986] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098 Fix this issue by adding the validation of the given node. If an invalid node id is given, it returns 0% for used memory ratio, and 100% for free memory ratio.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46020
EUVD
EUVD-2026-32401
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
linux linux_kernel From 6.16 (inc) to 6.18.27 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's memory management subsystem, specifically in the DAMON core component. It involves improper validation of the node ID (nid) used in memory quota goals for node memory usage statistics.

Privileged users can supply arbitrary node IDs to the DAMON user-space tool, which are then used without proper validation in kernel functions like si_meminfo_node() and NODE_DATA(). This lack of validation can lead to out-of-bounds memory access, potentially causing kernel crashes or undefined behavior.

The issue was fixed by adding validation to ensure that if an invalid node ID is provided, the system returns safe default values instead of accessing invalid memory.

Impact Analysis

This vulnerability allows privileged users to trigger out-of-bounds memory access in the Linux kernel, which can lead to kernel crashes or denial of service.

Such crashes can disrupt system availability and stability, potentially causing downtime or requiring system reboots.

Since the issue requires privileged access to exploit, it primarily impacts systems where users have elevated permissions.

Detection Guidance

This vulnerability can be detected by attempting to trigger the out of bounds memory access using the DAMON user-space tool (damo) with specific parameters that exploit the issue.

For example, running the following commands as root can help detect the vulnerability:

  • sudo ./damo start --damos_action stat --damos_quota_goal node_mem_used_bp 50% -1 --damos_quota_interval 1s
  • sudo dmesg

If the system is vulnerable, the kernel log (dmesg) may show messages such as "Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098" indicating an out of bounds memory access.

Mitigation Strategies

The vulnerability is fixed by validating the node id (nid) passed to the DAMON core. If an invalid node id is given, the system returns safe default values instead of accessing out of bounds memory.

Immediate mitigation steps include:

  • Apply the patch that validates damos_quota_goal->nid to ensure only valid node ids are accepted.
  • Avoid running DAMON user-space tool (damo) commands with arbitrary or invalid node ids until the patch is applied.
  • Restrict privileged user access to DAMON_SYSFS interfaces to prevent exploitation.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46020. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart