CVE-2026-46130
Received Received - Intake
dm-verity FEC parity block out-of-bounds read in Linux kernel

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: dm-verity-fec: fix reading parity bytes split across blocks (take 3) fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks. This assumption is false. Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example. In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes. Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed. On the 16th call (i=15), the alignment will be 4080 bytes into the first block. Only 16 bytes remain in that block, but 17 parity bytes will be needed. The code reads out-of-bounds from the parity block buffer. Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory. For example with block_size=4096 only the following cases are affected: fec_roots=17: nbufs in [1, 3, 5, 15] fec_roots=19: nbufs in [1, 229] fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195] fec_roots=23: nbufs in [1, 89] Regardless, fix it by refactoring how the parity blocks are read.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-46130
EUVD
EUVD-2026-32889
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel *
linux linux_kernel From 5.15.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's dm-verity-fec component, specifically in the function fec_decode_bufs(). The function incorrectly assumes that parity bytes of the first Reed-Solomon (RS) codeword it decodes are never split across parity blocks. However, under certain conditions involving specific values of fec_roots and the number of buffers (nbufs), parity bytes can be split across blocks, causing the function to read out-of-bounds from the parity block buffer.

This out-of-bounds read occurs when the byte alignment of parity data crosses a block boundary, for example when block_size is 4096 and fec_roots is 17 with nbufs equal to 1. The vulnerability is triggered only in rare cases with non-default fec_roots values and when the maximum number of buffers cannot be allocated due to low memory.

The issue was fixed by refactoring how parity blocks are read to prevent reading beyond the buffer limits.


How can this vulnerability impact me? :

This vulnerability can lead to out-of-bounds reads in the Linux kernel's dm-verity-fec component. Such out-of-bounds reads may cause system instability, crashes, or potentially expose sensitive memory contents.

However, the vulnerability is difficult to trigger because it requires specific non-default configurations and low memory conditions, which limits its practical impact.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been fixed by refactoring how the parity blocks are read in the Linux kernel's dm-verity-fec component.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart