CVE-2026-46294
Received Received - Intake
Buffer Overflow in Linux Kernel Device Mapper

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: dm: fix a buffer overflow in ioctl processing Tony Asleson (using Claude) found a buffer overflow in dm-ioctl in the function retrieve_status: 1. The code in retrieve_status checks that the output string fits into the output buffer and writes the output string there 2. Then, the code aligns the "outptr" variable to the next 8-byte boundary: outptr = align_ptr(outptr); 3. The alignment doesn't check overflow, so outptr could point past the buffer end 4. The "for" loop is iterated again, it executes: remaining = len - (outptr - outbuf); 5. If "outptr" points past "outbuf + len", the arithmetics wraps around and the variable "remaining" contains unusually high number 6. With "remaining" being high, the code writes more data past the end of the buffer Luckily, this bug has no security implications because: 1. Only root can issue device mapper ioctls 2. The commonly used libraries that communicate with device mapper (libdevmapper and devicemapper-rs) use buffer size that is aligned to 8 bytes - thus, "outptr = align_ptr(outptr)" can't overshoot the input buffer and the bug can't happen accidentally
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-46294
EUVD
EUVD-2026-35160
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a buffer overflow in the Linux kernel's device mapper ioctl processing, specifically in the function retrieve_status.

The issue occurs because after writing an output string into a buffer, the code aligns a pointer to the next 8-byte boundary without checking if this alignment causes the pointer to go past the end of the buffer.

If the pointer goes past the buffer end, subsequent calculations can wrap around and cause the code to write more data beyond the buffer's boundary, leading to a buffer overflow.

However, this bug has no security implications in practice because only root can issue device mapper ioctls, and commonly used libraries ensure buffer sizes are aligned to prevent this overflow from occurring accidentally.

Impact Analysis

In theory, this vulnerability could cause a buffer overflow, which might lead to memory corruption.

However, in practice, this vulnerability has no security implications because only root users can issue the affected device mapper ioctls, and the libraries that interact with the device mapper use properly aligned buffer sizes that prevent the overflow from occurring.

Therefore, the impact on typical users or systems is minimal or nonexistent.

Detection Guidance

This vulnerability is a buffer overflow in the Linux kernel's device mapper ioctl processing, specifically in the retrieve_status function.

Detection would involve checking if the system is running a vulnerable version of the Linux kernel that has not applied the fix for this buffer overflow.

Since only root can issue device mapper ioctls and the vulnerability depends on specific buffer alignment conditions, direct detection via network commands is not applicable.

No specific commands or detection tools are provided in the available information.

Mitigation Strategies

The vulnerability has no security implications under normal conditions because only root can issue device mapper ioctls and commonly used libraries use properly aligned buffers preventing the bug from triggering accidentally.

The immediate mitigation step is to update the Linux kernel to a version where this buffer overflow in dm-ioctl has been fixed.

Limiting root access and ensuring that only trusted users can issue device mapper ioctls can also reduce risk.

Compliance Impact

This vulnerability has no security implications because only root can issue device mapper ioctls, and commonly used libraries prevent the bug from occurring accidentally.

Since the vulnerability does not lead to unauthorized access or data leakage, it does not directly affect compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46294. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart