CVE-2026-46023 PUBLISHED

dm mirror: fix integer overflow in create_dirty_log()

Assigner: Linux
Reserved: 13.05.2026 Published: 27.05.2026 Updated: 27.05.2026

In the Linux kernel, the following vulnerability has been resolved:

dm mirror: fix integer overflow in create_dirty_log()

The argument count calculation in create_dirty_log() performs *args_used = 2 + param_count before validating against argc. When a user provides a param_count close to UINT_MAX via the device mapper table string, this unsigned addition wraps around to a small value, causing the subsequent argc < *args_used check to be bypassed.

The overflowed param_count is then passed as argc to dm_dirty_log_create(), where it can cause out-of-bounds reads on the argv array.

Fix by comparing param_count against argc - 2 before performing the addition, following the same pattern used by parse_features() in the same file. Since argc >= 2 is already guaranteed, the subtraction is safe.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 35f6b3281efd44d19110574663bc17a610bc73b9 (excl.)
  • affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 47dad9eea75d33212d3d2cea10e7ed6a1bfc0713 (excl.)
  • affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 87c99a50e0fdc68a5b9b52a94d49452cd3ff02ca (excl.)
  • affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 17a08791d428885d00e510864283a7b839792368 (excl.)
  • affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 4c788c6f921b22f9b6c3f316c4a071c05683e7de (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 2.6.12 is affected
  • unaffected from 0 to 2.6.12 (excl.)
  • unaffected from 6.6.140 to 6.6.* (incl.)
  • unaffected from 6.12.86 to 6.12.* (incl.)
  • unaffected from 6.18.27 to 6.18.* (incl.)
  • unaffected from 7.0.4 to 7.0.* (incl.)
  • unaffected from 7.1-rc1 to * (incl.)

References