CVE-2026-46130
A bug in the Linux kernel's dm-verity-fec (forward error correction) component can cause it to read data from outside the intended memory buffer. This occurs when parity bytes used to verify disk integrity are split across storage blocks in a specific way. Under certain non-default configurations and low-memory conditions, the code attempts to access more data than is available, leading to potential information disclosure or system instability. The issue only manifests with particular combinations of error correction parameters and buffer allocation scenarios.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-24
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: dm-verity-fec: fix reading parity bytes split across blocks (take 3) fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks. This assumption is false. Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example. In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes. Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed. On the 16th call (i=15), the alignment will be 4080 bytes into the first block. Only 16 bytes remain in that block, but 17 parity bytes will be needed. The code reads out-of-bounds from the parity block buffer. Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory. For example with block_size=4096 only the following cases are affected: fec_roots=17: nbufs in [1, 3, 5, 15] fec_roots=19: nbufs in [1, 229] fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195] fec_roots=23: nbufs in [1, 89] Regardless, fix it by refactoring how the parity blocks are read.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The fec_decode_bufs() function in dm-verity-fec incorrectly assumes parity bytes for Reed-Solomon codewords never straddle parity block boundaries. When v->fec->block_size equals 4096, v->fec->roots is set to non-default values (17, 19, 21, or 23), and buffer allocation is constrained due to memory pressure, the byte alignment calculation (272*i mod 4096, for example) can position parity data such that required bytes extend beyond the current block. The function then reads out-of-bounds from the parity block buffer. The CWE-125 out-of-bounds read occurs because the parsing logic does not account for block-boundary wraparound when handling split codewords.
Business impact
This vulnerability primarily affects systems using dm-verity for filesystem integrity verification, commonly found in containerized environments, secure boot chains, and embedded Linux devices. Exploitation could leak sensitive kernel memory contents or trigger denial-of-service through kernel crashes or hangs. The practical attack surface is narrow: an attacker with local access and the ability to configure non-default fec_roots parameters and induce memory pressure would be required. Most production deployments use default settings, significantly limiting real-world exposure. However, specialized use cases (Android devices, Chrome OS, container runtimes with custom dm-verity profiles) may warrant closer evaluation.
Affected systems
All Linux kernel versions contain this vulnerability. Systems using dm-verity with fec_roots values of 17, 19, 21, or 23 and buffer counts in specific ranges are affected: fec_roots=17 with nbufs in [1, 3, 5, 15]; fec_roots=19 with nbufs in [1, 229]; fec_roots=21 with nbufs in [1, 3, 5, 13, 15, 39, 65, 195]; fec_roots=23 with nbufs in [1, 89]. Default kernel configurations (typically fec_roots=2) are not vulnerable. Affected platforms include Android devices, Chrome OS, enterprise container hosts, and custom embedded Linux distributions that explicitly enable forward error correction with non-standard roots.
Exploitability
Exploitation requires local code execution with sufficient privileges to interact with dm-verity parity data. The vulnerability cannot be exploited remotely. An attacker must induce specific memory allocation conditions while the kernel processes dm-verity blocks with the vulnerable parameter combinations. Practical exploitation for information disclosure is possible but requires precise timing and environment setup. The narrow trigger conditions and requirement for privileged local access limit the severity in typical deployments. No public exploits are known, and the vulnerability is not tracked in active exploitation databases.
Remediation
Apply kernel updates that refactor parity block reading logic to correctly handle split codewords across block boundaries. Verify the patch resolves the issue for your specific fec_roots configuration. As an interim mitigation, review dm-verity configurations and revert fec_roots to default values (typically 2) if non-standard settings were intentionally enabled. Ensure adequate memory availability on systems using dm-verity to reduce the likelihood of the constrained buffer allocation scenario. Implement memory monitoring and alerting to detect low-memory conditions.
Patch guidance
Check your Linux distribution's kernel security advisory for the specific patch version addressing CVE-2026-46130. Canonical, Red Hat, SUSE, and other major distributors will backport the fix across supported kernel versions. For custom kernels, apply the upstream fix that refactors fec_decode_bufs() to properly handle parity byte boundaries. Testing should confirm the patch applies cleanly to your kernel version and that dm-verity continues to function correctly with your fec_roots configuration. Coordinate patching with any other dm-verity-dependent systems (e.g., container orchestration platforms) to ensure coordinated updates.
Detection guidance
Monitor kernel logs for dm-verity errors or out-of-bounds memory access warnings coinciding with fec_roots configuration values outside the default range. Use KASAN (Kernel Address Sanitizer) or similar memory debugging tools in test environments to confirm the vulnerability is present before patching. Observe memory allocation patterns under load; if buffer allocation consistently fails and falls back to lower buffer counts on your dm-verity deployment, you may hit the vulnerable code path. Audit dm-verity mount parameters across your infrastructure to identify systems with non-default fec_roots values.
Why prioritize this
Although the CVSS score of 7.1 (HIGH) reflects the severity of out-of-bounds reads and potential denial-of-service, the practical attack surface is substantially narrower. The vulnerability requires both non-default kernel configuration choices and local privileged access, combined with specific memory constraints. Prioritize patching if your organization uses Android, Chrome OS, or custom embedded deployments with explicitly configured fec_roots parameters. Standard Linux server and container deployments using default dm-verity settings can deprioritize this vulnerability relative to other HIGH-severity issues affecting default configurations. However, do not defer indefinitely; schedule patching within your normal security update cycle once vendor patches are available.
Risk score, explained
The CVSS 3.1 score of 7.1 reflects a HIGH severity due to the combination of high confidentiality impact (kernel memory disclosure), high availability impact (potential system crash), low privileges required for local attack, and no user interaction needed once access is obtained. However, the 'AC:L' (low attack complexity) in the CVSS vector is tempered by the non-default configuration requirement and memory pressure preconditions, which reduce real-world exploitability. The score appropriately reflects the technical severity of the vulnerability but should be contextualized with your own risk assessment of whether your systems are configured with vulnerable fec_roots parameters.
Frequently asked questions
Does this vulnerability affect systems using dm-verity with default settings?
No. The vulnerability only manifests with non-default fec_roots values (17, 19, 21, or 23). Most Linux distributions and container platforms use the default fec_roots=2, which is not affected. Check your dm-verity mount parameters to confirm your configuration.
What is dm-verity and why should I care?
dm-verity is a Linux kernel device mapper target that provides cryptographic integrity verification for read-only block devices. It's widely used in Android, Chrome OS, and container runtimes to detect unauthorized modifications to filesystem data. The fec (forward error correction) feature allows recovery from minor corruption without failing the entire volume.
Can this be exploited remotely or through unprivileged user accounts?
No. The vulnerability requires local code execution with sufficient privilege to trigger dm-verity block processing and memory pressure conditions. Typical unprivileged users cannot directly interact with device mapper targets. This is a local privileged attack vector.
What should I do if my organization uses custom dm-verity configurations with non-default fec_roots?
Contact your kernel vendor (Canonical, Red Hat, SUSE, etc.) or upstream for patch availability targeting your specific kernel version. Test patches thoroughly in a non-production environment before deployment. Consider whether the non-default fec_roots configuration is necessary for your use case, or whether reverting to defaults would reduce attack surface while you await and validate patches.
This analysis is based on publicly available vulnerability information and vendor disclosures as of the publication date. Security landscape and patch availability may evolve; verify all recommendations against current vendor advisories and your organization's security policies. SEC.co does not provide legal advice, and this document should not be construed as a recommendation to defer necessary security updates. Test all patches in non-production environments before deployment. Exploit code, weaponized proof-of-concepts, and active exploitation details are not provided in this advisory. Organizations should consult their kernel vendors for authoritative patch guidance and support. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10889HIGH
CVE-2026-10889: Critical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGH
CVE-2026-10927: Chrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10941HIGH
CVE-2026-10941: Skia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGH
CVE-2026-11015: Critical Chrome WebGPU Out-of-Bounds Read Vulnerability
- CVE-2026-46133HIGH
CVE-2026-46133: Linux RDMA/rxe Kernel Panic via Invalid Opcode DoS
- CVE-2026-46138HIGH
CVE-2026-46138: Linux Bluetooth Kernel Out-of-Bounds Read and DoS Vulnerability
- CVE-2026-46140HIGH
CVE-2026-46140: Linux Kernel Bluetooth btmtk Driver Memory Disclosure
- CVE-2026-10998MEDIUM
CVE-2026-10998: Chrome Media Out-of-Bounds Memory Read Vulnerability