CVE-2026-46067
Awaiting Analysis Awaiting Analysis - Queue
Memory Corruption in Linux Kernel DAMON Core

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp Users can set damos_quota_goal->nid with arbitrary value for node_memcg_{used,free}_bp. But DAMON core is using those for NODE-DATA() without a validation of the value. This can result in out of bounds memory access. The issue can actually triggered using DAMON user-space tool (damo), like below. $ sudo mkdir /sys/fs/cgroup/foo $ sudo ./damo start --damos_action stat --damos_quota_interval 1s \ --damos_quota_goal node_memcg_used_bp 50% -1 /foo $ sudo dmseg [...] [ 524.181426] Unable to handle kernel paging request at virtual address 0000000000002c00 Fix this issue by adding the validation of the given node id. If an invalid node id is given, it returns 0% for used memory ratio, and 100% for free memory ratio.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46067
EUVD
EUVD-2026-32449
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's DAMON core component, specifically in the handling of the damos_quota_goal->nid value used for node_memcg_{used,free}_bp. Users can set this nid value arbitrarily without proper validation. Because the DAMON core uses this value in NODE-DATA() without checking if it is valid, it can lead to out of bounds memory access, potentially causing kernel crashes or instability.

The issue can be triggered using the DAMON user-space tool (damo) by setting an invalid node id, which causes the kernel to attempt to access invalid memory addresses.

The fix involves adding validation for the node id. If an invalid node id is provided, the system returns 0% for used memory ratio and 100% for free memory ratio instead of accessing invalid memory.

Impact Analysis

This vulnerability can impact you by causing out of bounds memory access in the Linux kernel, which may lead to kernel crashes or system instability.

If exploited, it could disrupt normal system operations, potentially causing denial of service or unexpected behavior in systems relying on the DAMON core for memory monitoring.

Detection Guidance

This vulnerability can be detected by observing kernel logs for out of bounds memory access errors triggered by the DAMON user-space tool (damo). Specifically, running the damo tool with certain parameters can reproduce the issue.

  • Create a cgroup directory: sudo mkdir /sys/fs/cgroup/foo
  • Run the damo tool with the vulnerable parameters: sudo ./damo start --damos_action stat --damos_quota_interval 1s --damos_quota_goal node_memcg_used_bp 50% -1 /foo
  • Check kernel logs for errors indicating the vulnerability: sudo dmesg

If the vulnerability is present, the kernel log will show messages such as "Unable to handle kernel paging request at virtual address ..." indicating out of bounds memory access.

Mitigation Strategies

The vulnerability is fixed by adding validation of the given node id in the DAMON core. If an invalid node id is given, the system returns safe default values instead of accessing out of bounds memory.

Immediate mitigation steps include updating the Linux kernel to a version that contains this fix.

Until the update is applied, avoid using the DAMON user-space tool (damo) with arbitrary or invalid node id values for the damos_quota_goal parameter to prevent triggering the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46067. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart