CVE-2026-46253
Received Received - Intake
Heap Buffer Overflow in Linux Kernel pstore/ram

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: pstore/ram: fix buffer overflow in persistent_ram_save_old() persistent_ram_save_old() can be called multiple times for the same persistent_ram_zone (e.g., via ramoops_pstore_read -> ramoops_get_next_prz for PSTORE_TYPE_DMESG records). Currently, the function only allocates prz->old_log when it is NULL, but it unconditionally updates prz->old_log_size to the current buffer size and then performs memcpy_fromio() using this new size. If the buffer size has grown since the first allocation (which can happen across different kernel boot cycles), this leads to: 1. A heap buffer overflow (OOB write) in the memcpy_fromio() calls 2. A subsequent OOB read when ramoops_pstore_read() accesses the buffer using the incorrect (larger) old_log_size The KASAN splat would look similar to: BUG: KASAN: slab-out-of-bounds in ramoops_pstore_read+0x... Read of size N at addr ... by task ... The conditions are likely extremely hard to hit: 0. Crash with a ramoops write of less-than-record-max-size bytes. 1. Reboot: ramoops registers, pstore_get_records(0) reads old crash, allocates old_log with size X 2. Crash handler registered, timer started (if pstore_update_ms >= 0) 3. Oops happens (non-fatal, system continues) 4. pstore_dump() writes oops via ramoops_pstore_write() size Y (>X) 5. pstore_new_entry = 1, pstore_timer_kick() called 6. System continues running (not a panic oops) 7. Timer fires after pstore_update_ms milliseconds 8. pstore_timefunc() β†’ schedule_work() β†’ pstore_dowork() β†’ pstore_get_records(1) 9. ramoops_get_next_prz() β†’ persistent_ram_save_old() 10. buffer_size() returns Y, but old_log is X bytes 11. Y > X: memcpy_fromio() overflows heap Requirements: - a prior crash record exists that did not fill the record size (almost impossible since the crash handler writes as much as it can possibly fit into the record, capped by max record size and the kmsg buffer almost always exceeds the max record size) - pstore_update_ms >= 0 (disabled by default) - Non-fatal oops (system survives) Free and reallocate the buffer when the new size differs from the previously allocated size. This ensures old_log always has sufficient space for the data being copied.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-04
AI Q&A
2026-06-03
EPSS Evaluated
N/A
NVD
CVE-2026-46253
EUVD
EUVD-2026-34115
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's pstore/ram subsystem, specifically in the function persistent_ram_save_old(). The function can be called multiple times for the same persistent_ram_zone, but it only allocates memory for the old_log buffer if it is NULL. However, it updates the old_log_size unconditionally and then copies data into the buffer using memcpy_fromio() with the new size. If the buffer size has increased since the first allocation (which can happen across different kernel boot cycles), this causes a heap buffer overflow (out-of-bounds write) during the copy operation and an out-of-bounds read later when accessing the buffer.

The vulnerability is triggered under very specific and rare conditions involving multiple system crashes and reboots, non-fatal kernel oopses, and certain timing parameters. Essentially, if a crash record exists that did not fill the maximum record size, and the system continues running after a non-fatal oops with pstore_update_ms enabled, the buffer allocated for old_log may be too small for the new data, leading to the overflow.

The fix involves freeing and reallocating the buffer whenever the new size differs from the previously allocated size, ensuring the buffer always has enough space for the data being copied.


How can this vulnerability impact me? :

This vulnerability can lead to a heap buffer overflow in the Linux kernel, which may cause memory corruption. Such memory corruption can potentially be exploited to execute arbitrary code, cause system crashes, or lead to denial of service conditions.

However, the conditions required to trigger this vulnerability are extremely rare and complex, involving multiple system crashes, specific kernel configurations, and timing parameters. Therefore, the practical impact on most users is limited.

Still, if exploited, it could compromise system stability and security, potentially allowing attackers to gain elevated privileges or disrupt system operations.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a heap buffer overflow in the Linux kernel's persistent RAM subsystem, specifically in the persistent_ram_save_old() function. Detection would involve monitoring kernel logs for signs of out-of-bounds memory access errors related to ramoops_pstore_read.

A typical indicator is a KASAN (Kernel Address Sanitizer) error message similar to: "BUG: KASAN: slab-out-of-bounds in ramoops_pstore_read+0x..." which indicates an out-of-bounds read or write.

To detect this on your system, you can check the kernel logs for such errors using commands like:

  • dmesg | grep -i kasan
  • journalctl -k | grep -i kasan
  • grep -i 'ramoops_pstore_read' /var/log/kern.log

Additionally, monitoring for non-fatal kernel oops events and persistent RAM crash records may help identify conditions leading to this vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is caused by improper handling of buffer sizes in persistent_ram_save_old(), leading to heap buffer overflows when the buffer size grows between kernel boots.

Immediate mitigation steps include:

  • Apply the patch that frees and reallocates the buffer when the new size differs from the previously allocated size, ensuring the buffer is always large enough.
  • Disable the pstore_update_ms feature (set it to a negative value) to prevent the timer-based update mechanism that triggers the vulnerable code path, as it is disabled by default.
  • Monitor and avoid conditions that lead to non-fatal kernel oops events that survive system reboots, as these are required to trigger the vulnerability.

Ultimately, updating the Linux kernel to a version that includes the fix for this vulnerability is the most effective mitigation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart