HIGH
md/raid5 Journal OOB
CVE-2026-46070
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI5.0MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: md/raid5: validate payload size before accessing journal metadata r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb() iterate over payloads in a journal metadata block using on-disk payload size fields without validating them against the remaining space in the metadata block. A corrupted journal contains payload sizes extending beyond the PAGE_SIZE boundary can cause out-of-bounds reads when accessing payload fields or computing offsets. Add bounds validation for each payload type to ensure the full payload fits within meta_size before processing.
02KernelScan AI Analysis
Risk summary
Systems using RAID5 with write-back cache (r5cache) are vulnerable to out-of-bounds memory reads during journal metadata recovery. An attacker with root privileges can corrupt on-disk journal metadata to trigger kernel memory disclosure or a kernel panic during array recovery. Physical access to storage media is an alternative attack path, but the primary assessed vector requires high privileges.
Vulnerability analysis
The vulnerability exists in RAID5 cache recovery functions r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb(), which iterate over journal metadata payloads using on-disk size fields without first validating them against the remaining space in the metadata block. A corrupted journal with an oversized payload length causes out-of-bounds reads beyond the PAGE_SIZE metadata block boundary when the recovery code accesses payload fields or computes offsets. The fix adds explicit bounds validation for each payload type (DATA, PARITY, FLUSH), ensuring the computed payload length fits within meta_size before any data is accessed.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | c96c6f01d84b |
| 5.15 | 5.15.209 | ef4851d8324f |
| 6.1 | 6.1.175 | 28d3ff7109c6 |
| 6.12 | 6.12.86 | c3a1cf78bd1b |
| 6.18 | 6.18.27 | 73ce72edd113 |
| 6.6 | 6.6.140 | 33698bd1b2db |
| 7.0 | 7.0.4 | 406aa86394ea |
| mainline | 7.1-rc1 | b0cc3ae97e89 |