CVE-2026-46067 PUBLISHED

mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp

Assigner: Linux
Reserved: 13.05.2026 Published: 27.05.2026 Updated: 27.05.2026

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp

Users can set damos_quota_goal->nid with arbitrary value for node_memcg_{used,free}_bp. But DAMON core is using those for NODE-DATA() without a validation of the value. This can result in out of bounds memory access. The issue can actually triggered using DAMON user-space tool (damo), like below.

<pre>$ sudo mkdir /sys/fs/cgroup/foo $ sudo ./damo start --damos_action stat --damos_quota_interval 1s \ --damos_quota_goal node_memcg_used_bp 50% -1 /foo $ sudo dmseg [...] [ 524.181426] Unable to handle kernel paging request at virtual address 0000000000002c00 </pre>

Fix this issue by adding the validation of the given node id. If an invalid node id is given, it returns 0% for used memory ratio, and 100% for free memory ratio.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from b74a120bcf50787e5b9a2c3dcff999f9836ce1db to da10db73ada26345244ea5dc52f974692bd05f66 (excl.)
  • affected from b74a120bcf50787e5b9a2c3dcff999f9836ce1db to a34dac6482e53e2c76944f25b1489b9b7da3a6e6 (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 6.19 is affected
  • unaffected from 0 to 6.19 (excl.)
  • unaffected from 7.0.4 to 7.0.* (incl.)
  • unaffected from 7.1-rc1 to * (incl.)

References