HIGH
mm VmallocRealloc OOB
CVE-2026-46281
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: vmalloc: fix buffer overflow in vrealloc_node_align() Commit 4c5d3365882d ("mm/vmalloc: allow to set node and align in vrealloc") added the ability to force a new allocation if the current pointer is on the wrong NUMA node, or if an alignment constraint is not met, even if the user is shrinking the allocation. On this path (need_realloc), the code allocates a new object of 'size' bytes and then memcpy()s 'old_size' bytes into it. If the request is to shrink the object (size < old_size), this results in an out-of-bounds write on the new buffer. Fix this by bounding the copy length by the new allocation size.
02KernelScan AI Analysis
Risk summary
Local attackers with low privileges can trigger an out-of-bounds write in kernel memory through the vmalloc reallocation function. This can lead to kernel memory corruption, privilege escalation, or system crashes on systems where untrusted code can perform memory allocations with specific NUMA node or alignment requirements.
Vulnerability analysis
The vulnerability occurs in vrealloc_node_align() when shrinking an allocation that requires reallocation due to NUMA node or alignment constraints. The function allocates a new buffer of 'size' bytes but copies 'old_size' bytes from the original buffer, causing an out-of-bounds write when size < old_size. The fix bounds the memcpy length to min(size, old_size), preventing the buffer overflow. This affects kernel code paths that use vmalloc reallocation with node/alignment parameters, primarily reachable through kernel APIs rather than direct syscalls.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.27 | e9b057a44def |
| 7.0 | 7.0.4 | b281adf71f78 |
| mainline | 7.1-rc2 | 82d1f01292d3 |