CVE-2026-46023
Analyzed Analyzed - Analysis Complete
Integer Overflow in Linux Kernel Device Mapper

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: dm mirror: fix integer overflow in create_dirty_log() The argument count calculation in create_dirty_log() performs `*args_used = 2 + param_count` before validating against argc. When a user provides a param_count close to UINT_MAX via the device mapper table string, this unsigned addition wraps around to a small value, causing the subsequent `argc < *args_used` check to be bypassed. The overflowed param_count is then passed as argc to dm_dirty_log_create(), where it can cause out-of-bounds reads on the argv array. Fix by comparing param_count against argc - 2 before performing the addition, following the same pattern used by parse_features() in the same file. Since argc >= 2 is already guaranteed, the subtraction is safe.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46023
EUVD
EUVD-2026-32404
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel From 6.7 (inc) to 6.12.86 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.140 (exc)
linux linux_kernel From 2.6.12.1 (inc) to 5.10.258 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.27 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's device mapper mirror feature, specifically in the create_dirty_log() function. The function calculates the number of arguments it expects by adding 2 to a parameter count (param_count) without first validating that this addition won't overflow. If a user supplies a param_count value close to the maximum unsigned integer (UINT_MAX), the addition wraps around to a small number due to integer overflow. This causes the function to bypass a check that ensures the correct number of arguments are provided.

As a result, the overflowed param_count is passed as an argument count to another function, dm_dirty_log_create(), which can then perform out-of-bounds reads on the argv array. This means the program might read memory it shouldn't, potentially leading to undefined behavior or security issues.

The fix involves validating that param_count is less than or equal to argc - 2 before performing the addition, preventing the overflow and ensuring proper argument count validation.

Impact Analysis

This vulnerability can lead to out-of-bounds memory reads in the Linux kernel's device mapper mirror feature. Such out-of-bounds reads may cause system instability, crashes, or potentially expose sensitive kernel memory contents to an attacker.

If exploited, it could allow an attacker with the ability to provide crafted device mapper table strings to read unintended memory areas, which might lead to information disclosure or further exploitation depending on the system context.

Mitigation Strategies

The vulnerability in the Linux kernel dm mirror component involves an integer overflow in the create_dirty_log() function. To mitigate this vulnerability, you should update your Linux kernel to a version where this issue has been fixed.

Specifically, apply the patch that fixes the integer overflow by validating param_count against argc - 2 before performing the addition, as described in the fix.

Until the update is applied, avoid using untrusted or malformed device mapper table strings that could trigger this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46023. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart