CVE-2026-53059
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: dm log: fix out-of-bounds write due to region_count overflow The local variable region_count in create_log_context() is declared as unsigned int (32-bit), but dm_sector_div_up() returns sector_t (64-bit). When a device-mapper target has a sufficiently large ti->len with a small region_size, the division result can exceed UINT_MAX. The truncated value is then used to calculate bitset_size, causing clean_bits, sync_bits, and recovering_bits to be allocated far smaller than needed for the actual number of regions. Subsequent log operations (log_set_bit, log_clear_bit, log_test_bit) use region indices derived from the full untruncated region space, causing out-of-bounds writes to kernel heap memory allocated by vmalloc. This can be reproduced by creating a mirror target whose region_count overflows 32 bits: dmsetup create bigzero --table '0 8589934594 zero' dmsetup create mymirror --table '0 8589934594 mirror \ core 2 2 nosync 2 /dev/mapper/bigzero 0 \ /dev/mapper/bigzero 0' The status output confirms the truncation (sync_count=1 instead of 4294967297, because 0x100000001 was truncated to 1): $ dmsetup status mymirror 0 8589934594 mirror 2 254:1 254:1 1/4294967297 ... This leads to a kernel crash in core_in_sync: BUG: scheduling while atomic: (udev-worker)/9150/0x00000000 RIP: 0010:core_in_sync+0x14/0x30 [dm_log] CR2: 0000000000000008 Fixing recursive fault but reboot is needed! Fix by widening the local region_count to sector_t and adding an explicit overflow check before the value is assigned to lc->region_count.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53059
EUVD
EUVD-2026-38927
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to out-of-bounds writes in kernel memory, which may cause the Linux kernel to crash. Such crashes can result in system instability, data loss, or denial of service.

Because the issue occurs in the device-mapper subsystem, systems using device-mapper targets with very large sizes and small region sizes are particularly at risk.

An attacker with local access could potentially trigger this vulnerability to cause a denial of service by crashing the kernel.

Executive Summary

This vulnerability exists in the Linux kernel's device-mapper log (dm log) subsystem. It is caused by an out-of-bounds write due to an overflow in the region_count variable. Specifically, region_count is a 32-bit unsigned integer, but it is assigned a value from a 64-bit division result without proper handling. When the device-mapper target length is very large and the region size is small, the division result can exceed the maximum value of a 32-bit integer, causing truncation.

Because of this truncation, memory allocations for bitsets (clean_bits, sync_bits, recovering_bits) are smaller than needed. Later operations that use region indices based on the full 64-bit value write outside the allocated memory bounds, leading to out-of-bounds kernel heap writes. This can cause kernel crashes.

The issue can be reproduced by creating a mirror target with a region_count that overflows 32 bits, which results in incorrect status output and eventually a kernel crash.

Detection Guidance

This vulnerability can be detected by checking for the creation of device-mapper targets with region_count values that overflow 32 bits. Specifically, you can reproduce or detect the issue by creating a mirror target with a very large length and a small region size, which causes the region_count to overflow.

The following commands demonstrate how to create such targets and check their status, which can help detect the vulnerability:

  • dmsetup create bigzero --table '0 8589934594 zero'
  • dmsetup create mymirror --table '0 8589934594 mirror core 2 2 nosync 2 /dev/mapper/bigzero 0 /dev/mapper/bigzero 0'
  • dmsetup status mymirror

The status output will show a truncated sync_count (e.g., 1 instead of 4294967297), indicating the overflow and presence of the vulnerability.

Mitigation Strategies

Immediate mitigation involves applying the fix that widens the local region_count variable to 64 bits (sector_t) and adds an explicit overflow check before assigning the value. This fix prevents out-of-bounds writes and kernel crashes.

Until the fix is applied, avoid creating device-mapper targets with very large lengths and small region sizes that could cause the region_count to overflow 32 bits.

Additionally, monitor kernel logs for crashes related to dm_log, such as BUG messages involving core_in_sync and scheduling while atomic errors.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53059. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart