HIGH 7.1

CVE-2026-46190: Linux Kernel SPI-NOR Debugfs Out-of-Bounds Read Vulnerability

A memory access flaw exists in the Linux kernel's SPI NOR flash debugging code. When displaying flash chip parameters through the debugfs interface, the kernel incorrectly calculates the size of an internal lookup table, treating the table's byte-size instead of its element count. This can cause the kernel to read memory beyond the intended bounds when processing certain flag values. An unprivileged local user could exploit this to crash the system or potentially leak sensitive kernel memory.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.1 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Weaknesses (CWE)
CWE-125
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-19

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Sashiko noticed an out-of-bounds read [1]. In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names). Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers (element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended. Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count. Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46190 is an out-of-bounds read vulnerability in the Linux kernel's MTD/SPI-NOR subsystem, specifically within the spi_nor_params_show() debugfs handler. The flaw stems from passing sizeof(snor_f_names) to spi_nor_print_flags() instead of the array's element count via ARRAY_SIZE(). Since snor_f_names is an array of pointers, sizeof() returns the total bytes (element_count * sizeof(void*)), which on 64-bit systems inflates the length by a factor of 8. The inflated bounds-check value permits out-of-bounds array access when flag bits correspond to indices within the byte-size but beyond the actual element count, violating CWE-125 (out-of-bounds read).

Business impact

This vulnerability affects the availability and confidentiality of Linux systems. Local attackers can trigger a kernel panic, disrupting services running on affected systems. Additionally, the out-of-bounds read may expose kernel memory contents, potentially revealing security-sensitive data or information useful for further exploitation. Systems with SPI-NOR flash devices and debugfs enabled are at risk, though the attack requires local access and unprivileged execution capability. Managed service providers, embedded Linux deployments, and multi-tenant environments face the greatest operational risk.

Affected systems

The Linux kernel is affected. Vulnerability requires debugfs to be mounted and accessible (common in development and some production environments). Impact is primarily on systems using SPI-NOR flash memory devices, including ARM-based embedded systems, IoT devices, and platforms with external NOR flash storage. The vulnerability applies to all Linux kernel versions containing the vulnerable spi_nor_params_show() code; specific affected versions should be verified against the kernel security advisories and your kernel's release notes.

Exploitability

Exploitation requires local access and unprivileged user privileges to read from debugfs (typically mounted at /sys/kernel/debug). No network access is required. The attack is reliable and deterministic—an attacker simply needs to read the vulnerable debugfs file with a flag value that triggers the out-of-bounds condition. The barrier to exploitation is low, though practical impact depends on system configuration and whether debugfs is exposed to untrusted users. No known public exploits have been disclosed, but the vulnerability is straightforward to weaponize.

Remediation

Patch the Linux kernel using ARRAY_SIZE() instead of sizeof() when passing the snor_f_names array to spi_nor_print_flags(). This ensures the correct element count is used for bounds-checking. Administrators should apply kernel updates from their distribution or Linux.org when available. As an interim mitigation, restrict debugfs access by ensuring /sys/kernel/debug is not world-readable and is accessible only to trusted administrators (e.g., via kernel.debugfs_restrict_access or mount options). Consider disabling debugfs entirely on production systems that do not require it.

Patch guidance

Monitor your Linux distribution's security advisories for a patched kernel version addressing this MTD/SPI-NOR debugfs issue. Apply patches during a scheduled maintenance window with appropriate system reboot planning. Verify the patch includes the ARRAY_SIZE() correction in the spi_nor_params_show() function. Test patched kernels in a non-production environment first to confirm compatibility with your hardware and workloads. Kernel versions will vary by distribution; consult your vendor's advisory for specific version numbers and timelines.

Detection guidance

Monitor system logs (dmesg, kernel.log) for kernel panics or out-of-bounds access warnings that may indicate exploitation attempts. Audit debugfs mount points and file permissions to identify overly permissive configurations. If debugfs is mounted, verify access controls restrict it to root and authorized personnel. Monitor local process execution for suspicious reads of /sys/kernel/debug/spi_nor_params or similar MTD debugfs files from unprivileged users. Kernel Address Sanitizer (KASAN) or similar debugging tools, if enabled, will detect and report the out-of-bounds read at runtime.

Why prioritize this

Although CVE-2026-46190 requires local access and is not remotely exploitable, its CVSS 7.1 HIGH severity reflects the combination of achievable denial-of-service impact and potential information disclosure. The low complexity and unprivileged attack vector, coupled with realistic multi-user and containerized deployment scenarios, make this a meaningful risk for most organizations. Prioritize patching for systems where debugfs is exposed, shared hosting environments, and embedded/IoT infrastructure where local threat actors are more likely. Production servers in isolated environments may be lower priority if debugfs access is properly restricted.

Risk score, explained

The CVSS 3.1 score of 7.1 (HIGH) reflects: (1) Local attack vector requiring physical or credential-based system access; (2) Low attack complexity with no special conditions needed once local access is obtained; (3) Low privilege requirement—unprivileged users can trigger the flaw via debugfs; (4) High confidentiality impact from potential kernel memory exposure; (5) High availability impact from kernel panic/crash; (6) No integrity impact since the flaw is read-only. The score appropriately prioritizes this above low-impact vulnerabilities but below remote code execution or remote denial-of-service flaws.

Frequently asked questions

Does this affect my system if debugfs is not mounted?

No. If debugfs is not mounted, or is mounted with restrictive permissions (readable only by root), the vulnerability is not directly exploitable by unprivileged attackers. Verify your system configuration with 'mount | grep debugfs' and 'ls -ld /sys/kernel/debug'.

Can this vulnerability be exploited remotely?

No. Exploitation requires local access and unprivileged execution on the affected system. This is not a network-facing vulnerability and does not affect systems where physical and shell access are properly restricted.

What is the difference between sizeof() and ARRAY_SIZE() that caused this bug?

sizeof() returns the total byte size of a variable or array in memory. For an array of pointers, it returns element_count × sizeof(void*). ARRAY_SIZE() is a macro that calculates the true number of elements by dividing sizeof(array) by sizeof(array[0]). Using ARRAY_SIZE() ensures the bounds-check correctly reflects the actual number of string pointers, not their byte representation.

Should I disable debugfs entirely to mitigate this?

On production systems that do not require kernel debugging, disabling debugfs is a reasonable defense-in-depth measure. However, patching is the proper long-term fix. If debugging is needed, ensure debugfs is mounted with restrictive permissions (e.g., mode 0700) and accessible only to trusted administrators.

This analysis is based on the published CVE record and Linux kernel security advisory. Specific affected kernel versions and patch availability vary by distribution; consult your vendor's security advisories for precise version numbers and timelines. This vulnerability requires local system access and is not remotely exploitable. Organizations should verify debugfs configuration and implement access controls as part of a defense-in-depth strategy. No public exploit code or weaponized proof-of-concept is included or endorsed by this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).