HIGH 7.8

CVE-2026-46281: Linux Kernel vrealloc_node_align Buffer Overflow (CVSS 7.8)

A memory safety bug exists in the Linux kernel's virtual memory allocation code. When a function called vrealloc_node_align() is asked to reallocate memory under specific conditions—such as when the current allocation is on the wrong NUMA node or violates alignment requirements—it can accidentally write data beyond the boundaries of the newly allocated buffer. This happens because the code copies more data than the new buffer can hold when the reallocation is actually shrinking the requested size. An unprivileged local process can exploit this to overwrite adjacent kernel memory, potentially leading to information disclosure, privilege escalation, or system crashes.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-787
Affected products
2 configuration(s)
Published / Modified
2026-06-08 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: vmalloc: fix buffer overflow in vrealloc_node_align() Commit 4c5d3365882d ("mm/vmalloc: allow to set node and align in vrealloc") added the ability to force a new allocation if the current pointer is on the wrong NUMA node, or if an alignment constraint is not met, even if the user is shrinking the allocation. On this path (need_realloc), the code allocates a new object of 'size' bytes and then memcpy()s 'old_size' bytes into it. If the request is to shrink the object (size < old_size), this results in an out-of-bounds write on the new buffer. Fix this by bounding the copy length by the new allocation size.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the vrealloc_node_align() function, introduced in commit 4c5d3365882d. When the reallocation path (need_realloc) is triggered—typically to satisfy NUMA node placement or alignment constraints—the function allocates a new buffer of the requested 'size' and then uses memcpy() to transfer data from the old allocation. The flaw occurs when size < old_size (a shrinking operation): the memcpy() unconditionally copies 'old_size' bytes into a buffer that is only 'size' bytes large, causing a buffer overflow. The fix bounds the copy length to the minimum of old_size and the new allocation size, preventing the out-of-bounds write.

Business impact

This vulnerability allows local attackers with standard user privileges to corrupt kernel memory, potentially compromising system confidentiality, integrity, and availability. Affected systems may experience unexpected kernel behavior, information leaks, or be leveraged as a stepping stone for privilege escalation attacks. For organizations running vulnerable Linux kernels—particularly in cloud, container, or multi-tenant environments—this represents a meaningful lateral movement or privilege escalation risk that should be prioritized for remediation.

Affected systems

The Linux kernel is affected. The vulnerability was introduced in commit 4c5d3365882d and persists in versions until patched. Both stable and long-term support (LTS) kernel versions may be affected depending on when they incorporated the vulnerable commit. Systems running recent kernel versions from the 5.x+ release cycles are most likely to be vulnerable. Check your kernel version using 'uname -r' and cross-reference with your Linux distribution's security advisories for patch availability.

Exploitability

Exploitability is moderate to high. The vulnerability requires local code execution (not network-based), which is a necessary precondition. However, once an attacker has local access—even as an unprivileged user—triggering the vulnerable code path is straightforward: simply calling vrealloc_node_align() with a reallocation request that triggers NUMA node or alignment constraints. No special privileges, complex race conditions, or user interaction are required. The bug is deterministic and reliable to trigger. The CVSS 3.1 score of 7.8 (HIGH) reflects this: local attack vector, low complexity, low privileges required, and high impact on confidentiality, integrity, and availability.

Remediation

Patch the Linux kernel to a version that includes the fix for CVE-2026-46281. The specific patch bounds the memcpy() operation to min(size, old_size) to prevent the overflow. Contact your kernel vendor or distribution maintainer for patched releases. Interim mitigation (though not a complete substitute for patching) includes restricting unprivileged access to memory allocation APIs and monitoring for unusual kernel memory patterns, though these are challenging in practice.

Patch guidance

Apply the official kernel patch from your Linux distribution (Red Hat, Ubuntu, Debian, SUSE, etc.) as soon as it becomes available. Verify the patch version or commit hash against your vendor's security advisory to confirm it addresses CVE-2026-46281. Testing the patch in a non-production environment before wide deployment is recommended. Depending on your infrastructure, you may need to schedule a kernel reboot; live kernel patching (KLP) on Red Hat systems or kpatch/livepatch on others may reduce downtime if available.

Detection guidance

Monitor kernel logs (dmesg, journalctl) for memory corruption messages, segmentation faults, or panics that may indicate exploitation. System monitoring tools that track unexpected kernel crashes or reboots can signal active exploitation. Intrusion detection systems tuned to detect unusual memory allocation patterns or local privilege escalation attempts may also help. However, the most reliable detection is proactive: audit running kernel versions across your fleet and prioritize patching. Runtime memory sanitizers (KASAN, KMSAN if enabled in your kernel) may catch exploitation attempts in test or pre-production environments.

Why prioritize this

This vulnerability merits HIGH priority for patching due to its HIGH CVSS severity (7.8), low barrier to exploitation (local, unprivileged attacker), and direct impact on kernel integrity. While it requires local access, many real-world threat models include container escapes, supply-chain compromises, or insider threats. Delaying remediation increases the window for abuse, particularly in multi-tenant or cloud environments. Organizations running Linux kernels in production should treat this as urgent.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) reflects: AV:L (local attack vector—attacker must have code execution on the system), AC:L (low attack complexity—trivial to trigger), PR:L (low privileges—unprivileged user suffices), UI:N (no user interaction required), and S:U/C:H/I:H/A:H (impact is high across confidentiality, integrity, and availability). The score does not account for the lack of CISA KEV listing at the time of publication, which may indicate limited early adversarial weaponization, but this should not be read as a reason to deprioritize patching.

Frequently asked questions

Do I need local code execution to exploit this?

Yes. The vulnerability requires an attacker to already have the ability to execute code on the system—typically as an unprivileged user. It is not remotely exploitable. However, in containerized or cloud environments, this is a realistic threat model, since container breakout or lateral movement attacks frequently depend on local kernel bugs.

Which kernel versions are affected?

The vulnerability was introduced in commit 4c5d3365882d. Any kernel version that includes this commit and has not yet applied the fix is vulnerable. Generally, recent 5.x and 6.x kernel versions are affected. Consult your Linux distribution's security advisory for the exact affected versions and available patches.

Is there a temporary workaround if I cannot patch immediately?

There is no reliable workaround. The vulnerability is in core memory allocation logic that is difficult to disable or bypass without severely degrading system functionality. Patching is the only reliable mitigation. If immediate patching is impossible, restrict unprivileged user access, run containers with additional isolation, and prioritize patching in your maintenance schedule.

How does this differ from typical heap overflow vulnerabilities?

This is a kernel heap overflow, not a userspace one. Kernel memory corruption is more severe because the kernel controls all system resources and can lead to complete system compromise. Additionally, exploitation is not constrained by ASLR, DEP, or canaries in the same way userspace exploits are, making kernel bugs inherently more dangerous from a security perspective.

This intelligence is based on published CVE details and vendor disclosures available as of the analysis date. CVSS scores and severity ratings reflect the consensus of the security community at publication but may be revised as additional research emerges. Patch availability and timelines vary by Linux distribution; consult your vendor directly for release schedules. This document does not constitute legal advice or a guarantee of protection. Organizations should conduct independent risk assessment and testing in their own environments. No exploit code or weaponization details are provided; this analysis is for defensive purposes only. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).