HIGH 7.8

CVE-2026-46253: Linux Kernel pstore/ramoops Buffer Overflow Privilege Escalation

CVE-2026-46253 is a memory corruption vulnerability in the Linux kernel's pstore/ramoops subsystem—the component responsible for preserving system crash logs and diagnostic data across reboots. The flaw occurs in a function called persistent_ram_save_old() that manages historical crash data. When the kernel tries to save old crash logs, it can allocate a buffer that's too small, then later write more data into it than it can hold. This is a classic heap buffer overflow. The vulnerability requires a very specific sequence of events: a prior crash that didn't fill the entire log buffer, followed by a non-fatal kernel oops (error) that writes a larger log, combined with the pstore background timer being enabled. While the conditions are difficult to meet, when they do occur, an attacker with local access could potentially exploit this to corrupt kernel memory and escalate privileges.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-787
Affected products
6 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: pstore/ram: fix buffer overflow in persistent_ram_save_old() persistent_ram_save_old() can be called multiple times for the same persistent_ram_zone (e.g., via ramoops_pstore_read -> ramoops_get_next_prz for PSTORE_TYPE_DMESG records). Currently, the function only allocates prz->old_log when it is NULL, but it unconditionally updates prz->old_log_size to the current buffer size and then performs memcpy_fromio() using this new size. If the buffer size has grown since the first allocation (which can happen across different kernel boot cycles), this leads to: 1. A heap buffer overflow (OOB write) in the memcpy_fromio() calls 2. A subsequent OOB read when ramoops_pstore_read() accesses the buffer using the incorrect (larger) old_log_size The KASAN splat would look similar to: BUG: KASAN: slab-out-of-bounds in ramoops_pstore_read+0x... Read of size N at addr ... by task ... The conditions are likely extremely hard to hit: 0. Crash with a ramoops write of less-than-record-max-size bytes. 1. Reboot: ramoops registers, pstore_get_records(0) reads old crash, allocates old_log with size X 2. Crash handler registered, timer started (if pstore_update_ms >= 0) 3. Oops happens (non-fatal, system continues) 4. pstore_dump() writes oops via ramoops_pstore_write() size Y (>X) 5. pstore_new_entry = 1, pstore_timer_kick() called 6. System continues running (not a panic oops) 7. Timer fires after pstore_update_ms milliseconds 8. pstore_timefunc() → schedule_work() → pstore_dowork() → pstore_get_records(1) 9. ramoops_get_next_prz() → persistent_ram_save_old() 10. buffer_size() returns Y, but old_log is X bytes 11. Y > X: memcpy_fromio() overflows heap Requirements: - a prior crash record exists that did not fill the record size (almost impossible since the crash handler writes as much as it can possibly fit into the record, capped by max record size and the kmsg buffer almost always exceeds the max record size) - pstore_update_ms >= 0 (disabled by default) - Non-fatal oops (system survives) Free and reallocate the buffer when the new size differs from the previously allocated size. This ensures old_log always has sufficient space for the data being copied.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in persistent_ram_save_old(), called during pstore record reading. The function allocates prz->old_log only when it is NULL but unconditionally updates prz->old_log_size to the current buffer_size(). If the buffer grows between invocations—possible across kernel boot cycles or during the same runtime—a subsequent memcpy_fromio() will attempt to copy more data than the previously allocated buffer can hold, resulting in a heap-based buffer overflow (CWE-787). The KASAN memory sanitizer would detect this as a slab-out-of-bounds condition. Additionally, the incorrect old_log_size causes out-of-bounds reads when ramoops_pstore_read() later accesses the buffer. The fix reallocates the buffer when the new size differs from the previously allocated size, ensuring sufficient capacity.

Business impact

Organizations running systems with pstore/ramoops enabled (particularly edge devices, IoT platforms, and systems requiring persistent crash logging) face a localized privilege escalation risk. Successful exploitation allows an unprivileged local process to corrupt kernel memory, potentially leading to denial of service or privilege escalation to root. The blast radius is limited by the requirement for prior crash conditions and a running pstore timer, but systems relying on ramoops for firmware or kernel diagnostics are directly affected. The impact on cloud infrastructure is minimal unless host systems have ramoops configured, but bare-metal and embedded deployments should treat this as a meaningful security concern.

Affected systems

The Linux kernel is affected across multiple versions where pstore/ramoops functionality is enabled. The vulnerability specifically impacts systems configured with ramoops persistence (common on ARM, embedded, and some enterprise platforms). Systems with pstore_update_ms set to a non-negative value are at higher risk, as this enables the background timer that triggers the vulnerable code path. Standard server deployments with ramoops disabled are unaffected. The vulnerability requires local access to the compromised system, making remote exploitation infeasible.

Exploitability

Exploitation requires a specific precondition sequence that is 'extremely hard to hit,' per the advisory: a prior partial crash record (undersized), pstore timer enabled, a surviving non-fatal oops, and precise timing for the background recovery job to run before cleanup occurs. The prerequisites are so restrictive that accidental triggering in production is unlikely. However, a sophisticated local attacker with detailed kernel internals knowledge could theoretically craft conditions to trigger the overflow. The requirement for local code execution significantly constrains the threat model. CVSS 7.8 (HIGH, AV:Local, AC:Low, PR:Low) reflects the local privilege escalation potential despite difficult trigger conditions.

Remediation

Apply a kernel update that includes the fix to persistent_ram_save_old(). The patch reallocates prz->old_log when the new buffer size differs from the previously allocated size, eliminating the overflow condition. Verify the fix has been merged into your kernel branch and applied to production systems. As an interim control, systems can disable pstore/ramoops if crash preservation is not operationally necessary, or set pstore_update_ms to a negative value to disable the background timer and prevent the vulnerable code path from being invoked.

Patch guidance

Monitor your Linux distribution's security advisories for kernel updates addressing CVE-2026-46253. The fix is in the pstore subsystem (likely in fs/pstore/ram.c). Verify the patch is present in your kernel version by checking the commit history or release notes. For custom kernels, cherry-pick the fix from the stable kernel repository. Testing should confirm that ramoops still functions correctly and that crash logs are properly preserved after patching. Prioritize patching systems where ramoops is actively configured and pstore_update_ms is enabled.

Detection guidance

Monitor system logs for KASAN splats or memory corruption warnings related to ramoops_pstore_read() and persistent_ram_save_old(). Enable kernel address sanitizer (KASAN) on test systems to detect the out-of-bounds access. In production, watch for unexpected kernel panics or memory corruption signatures (heap corruption messages, invalid pointer dereferences in pstore code paths). Monitor dmesg for ramoops-related errors or warnings indicating buffer size mismatches. Systems with CONFIG_KASAN enabled will immediately surface exploitation attempts as BUG reports.

Why prioritize this

Prioritize patching systems where pstore/ramoops is enabled and pstore_update_ms is set to a non-negative value. Embedded systems, IoT devices, and edge computing platforms using ramoops for persistent diagnostics should be prioritized. Enterprise servers with disabled ramoops can defer patching. The HIGH CVSS score and local privilege escalation potential warrant timely remediation for affected systems, particularly in multi-tenant or high-security environments where unprivileged users have local access.

Risk score, explained

CVSS 7.8 reflects the seriousness of the memory corruption (high impact on confidentiality, integrity, and availability) but is moderated by the local-only attack vector and the extremely difficult precondition sequence required to trigger the vulnerability. The low complexity (AC:L) indicates that once conditions align, exploitation is straightforward, but Low Privilege requirement means an unprivileged account suffices. The vulnerability is not known to be widely exploited and has not been added to the CISA KEV catalog, indicating limited real-world active exploitation at the time of publication.

Frequently asked questions

What is ramoops and why should I care about this vulnerability?

Ramoops is a Linux kernel module that preserves system crash logs and kernel messages in RAM across reboots, enabling post-mortem analysis of kernel panics and crashes. It's commonly used on embedded systems, IoT devices, and some enterprise platforms. This vulnerability affects the mechanism that manages historical crash records, creating a memory corruption risk on systems with ramoops enabled.

Is my system affected if I've never heard of ramoops?

Likely not. Ramoops is disabled by default and must be explicitly configured during kernel compilation or via boot parameters. Check your kernel config (grep CONFIG_PSTORE_RAM /boot/config-*) and boot parameters to confirm. Most standard server distributions ship with ramoops disabled unless the platform specifically requires persistent crash logging.

Can this be exploited remotely?

No. The vulnerability requires local code execution and the ability to trigger a precise sequence of kernel events involving crash logging. Remote exploitation is not possible; an attacker must have an account or shell access on the target system.

If pstore_update_ms is negative, am I protected?

Yes, setting pstore_update_ms to a negative value disables the background pstore recovery timer, which prevents the vulnerable code path from being invoked. However, you should still apply the patch as soon as possible rather than relying on this configuration workaround long-term.

This analysis is based on publicly available vulnerability data as of the publication date. CVSS scores and vulnerability classifications are subject to change as new information emerges. Organizations should verify all patch versions, affected product versions, and remediation steps against official vendor advisories before deployment. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence and recommends independent verification of all technical claims. This document does not constitute legal, compliance, or professional security advice; consult qualified security professionals for your specific environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).