MEDIUM 5.5

CVE-2026-46161

A divide-by-zero vulnerability exists in the Linux kernel's RAID10 disk management code. When a user configures RAID10 with a "far_copies" value of zero, the kernel crashes instead of rejecting the invalid configuration. This requires local access and root-level privileges to trigger, making it a local denial-of-service risk rather than a remote compromise threat.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-369
Affected products
10 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix divide-by-zero in setup_geo() with zero far_copies setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the "improved" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero. Validate nc and fc immediately after extraction, returning -1 if either is zero.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The setup_geo() function in md/raid10.c processes layout parameters containing near_copies and far_copies values without validating them for zero. When far_copies=0 is supplied with the improved far set layout, the calculation 'geo->far_set_size = disks / fc' executes an integer division by zero, causing a kernel panic. The vulnerability stems from insufficient input validation on user-supplied layout configuration data passed through the RAID subsystem interface.

Business impact

Systems relying on RAID10 configurations for storage availability face denial-of-service risk if an unprivileged user with local shell access can reconfigure RAID geometry. The impact is constrained to availability (system crash and reboot required) with no data exfiltration or integrity compromise. For organizations running kernel versions prior to the fix, this represents a low but real uptime risk, particularly in multi-tenant or untrusted-user environments.

Affected systems

All versions of the Linux kernel running the RAID10 subsystem are potentially affected. The vulnerability requires local access and typically affects systems where non-root users can issue ioctl calls to reconfigure RAID devices. Server deployments, NAS appliances, and systems with shared shell access carry higher risk. Container environments may isolate exposure depending on device access controls.

Exploitability

Exploitation requires local system access and the ability to issue RAID configuration commands—typically restricted to root or the disk group on standard systems. However, if a system permits unprivileged users to modify RAID settings (through misconfigured sudo rules, for example), or if local privilege escalation exists elsewhere, the attack surface widens. No network exposure or special tools are necessary once local access is obtained; standard mdadm or ioctl-based tools suffice.

Remediation

Apply the kernel patch that adds validation of near_copies and far_copies immediately after extraction in setup_geo(), rejecting configurations where either value is zero. Verify against your Linux distribution's security advisories and kernel release notes for the specific patched version affecting your deployment. Until patched, restrict RAID configuration permissions strictly to root and trusted administrators.

Patch guidance

Check your distributor's kernel advisories (Red Hat, Canonical, SUSE, etc.) for the patched kernel version incorporating the fix to setup_geo(). Most distributions will backport the patch to stable kernel branches. Update kernel packages through standard package management; a system reboot is required for the new kernel to take effect. Verify the patch application by confirming the setup_geo() function now validates far_copies != 0 before division.

Detection guidance

Monitor kernel logs (dmesg, journalctl) for divide-by-zero exceptions or kernel panics originating from the md/raid10 code path. Audit RAID configuration commands and ioctl calls via auditd, focusing on mdadm invocations with suspicious layout parameters containing zero values. Alert on unexpected RAID subsystem errors or system reboots correlating with RAID reconfigurations. In compliance-heavy environments, periodically validate that no RAID configurations with zero far_copies values exist in active deployments.

Why prioritize this

Although the CVSS score is MEDIUM (5.5), this is a low-exploitation-probability vulnerability due to strict privilege requirements. Prioritize patching for systems where non-root RAID administration is permitted or where privilege escalation vulnerabilities exist. Standard server deployments with proper access controls can schedule updates in routine maintenance windows rather than emergency cycles. High-availability storage clusters dependent on RAID10 should coordinate updates with change control processes to minimize downtime.

Risk score, explained

The CVSS 3.1 score of 5.5 (MEDIUM) reflects high attack complexity due to local-only access requirement and elevated privileges needed to trigger the crash. The vulnerability scores purely on availability impact (denial of service via kernel panic), with no confidentiality or integrity dimension. The score does not account for the relatively low real-world exploitability in properly configured multi-user systems, which may justify lower practical risk for many deployments.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The vulnerability requires local system access and the ability to issue RAID configuration commands. Remote exploitation is not possible. An attacker would need shell access to the affected system, typically requiring prior compromise or valid credentials.

What user privileges are needed to trigger this bug?

Triggering the vulnerability typically requires root privileges or membership in the disk group with RAID configuration permissions. However, if a system has misconfigured sudo rules or other privilege escalation flaws, an unprivileged user might gain the ability to reconfigure RAID settings. Standard deployments restrict this capability to root only.

Will this crash cause data loss on the RAID10 array?

A kernel panic from this vulnerability causes the system to crash and reboot, but does not directly damage data on the RAID10 array. However, an unclean shutdown can potentially lead to filesystem inconsistencies if the array was actively being written to at the moment of crash. Running fsck after reboot is recommended.

How do I know if my system is vulnerable?

Check your kernel version against your distribution's security advisories. The vulnerability affects all kernel versions prior to the patch. You can verify your running kernel version with 'uname -r' and cross-reference against Red Hat, Ubuntu, SUSE, or your distributor's published patch information.

This analysis is based on publicly available vulnerability data and kernel source information as of the stated publication date. Specific patch versions and timelines vary by Linux distribution and kernel branch. Organizations should verify patch availability and testing requirements through their vendor's official security advisories before deployment. SEC.co makes no warranties regarding completeness or real-world exploitability; this explainer is for informational purposes to aid security decision-making. Always consult official Red Hat, Canonical, SUSE, or other vendor channels for authoritative patch guidance specific to your systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities