CVE-2026-46190
Analyzed Analyzed - Analysis Complete
Out-of-Bounds Read in Linux Kernel MTD SPI-NOR Debugfs

Publication date: 2026-05-28

Last updated on: 2026-06-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Sashiko noticed an out-of-bounds read [1]. In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names). Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers (element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended. Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count. Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-11
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46190
EUVD
EUVD-2026-32817
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.30 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.7 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.88 (exc)
linux linux_kernel From 5.19 (inc) to 6.6.140 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an out-of-bounds read in the Linux kernel's spi-nor debugfs component, specifically in the function spi_nor_params_show().

The issue arises because the code uses sizeof() on an array of pointers (snor_f_names) to determine the length of the array. Since sizeof() returns the total byte size of the pointers rather than the number of elements, on 64-bit systems this results in an inflated length value that is 8 times larger than intended.

This inflated length is then used for bounds checking in spi_nor_print_flags(), which can cause the function to read beyond the actual array bounds if certain flag bits are set.

The fix involves using ARRAY_SIZE() to correctly pass the actual number of elements in the array, preventing the out-of-bounds read.

Impact Analysis

An out-of-bounds read vulnerability can lead to the kernel reading memory beyond the intended array boundaries.

This can potentially cause information disclosure if sensitive data is read, or lead to system instability or crashes.

However, the specific impact depends on how the spi-nor debugfs interface is used and whether an attacker can trigger the out-of-bounds read.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46190. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart