CVE-2026-52905: Linux Kernel DAMON Invalid Region Size Denial of Service
A bug in the Linux kernel's DAMON (Data Access Monitoring) subsystem allows administrators or local users to configure memory monitoring settings with invalid parameters, potentially causing system instability or denial of service. The vulnerability stems from incomplete validation of the minimum region size parameter—it must be a power of two, but the DAMON sysfs interface can accept non-power-of-two values, leading to unaligned memory address ranges that violate kernel assumptions. This creates conditions for crashes or hangs during memory access monitoring operations.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-1284
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-08
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: disallow non-power of two min_region_sz on damon_start() Commit d8f867fa0825 ("mm/damon: add damon_ctx->min_sz_region") introduced a bug that allows unaligned DAMON region address ranges. Commit c80f46ac228b ("mm/damon/core: disallow non-power of two min_region_sz") fixed it, but only for damon_commit_ctx() use case. Still, DAMON sysfs interface can emit non-power of two min_region_sz via damon_start(). Fix the path by adding the is_power_of_2() check on damon_start(). The issue was discovered by sashiko [1].
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-52905 describes a validation gap in the Linux kernel's DAMON core module. Commit d8f867fa0825 introduced a min_region_sz parameter to control memory region granularity, but failed to enforce the power-of-two requirement consistently. While a later fix (commit c80f46ac228b) added validation in the damon_commit_ctx() path, the damon_start() function—used by the DAMON sysfs interface—lacked the is_power_of_2() check. This permits callers to invoke damon_start() with non-power-of-two min_region_sz values, resulting in unaligned DAMON region address ranges that corrupt internal kernel state or trigger assertion failures.
Business impact
On affected systems, this vulnerability enables local denial of service. Unprivileged users with DAMON sysfs access can crash or hang the kernel by supplying malformed monitoring parameters, disrupting workloads and potentially requiring reboot. On servers using DAMON for performance profiling or resource optimization, malicious or misconfigured monitoring jobs could destabilize production environments. The impact is localized to systems actively using DAMON; systems without DAMON enabled or those that don't expose the sysfs interface to untrusted users face minimal risk.
Affected systems
The vulnerability affects Linux kernel deployments that include DAMON support. Specifically, systems where the DAMON sysfs interface (/sys/kernel/debug/damon/) is accessible to non-root users, or where untrusted local users can write monitoring configuration, are at risk. Container environments, shared Linux systems, and multi-tenant infrastructure where DAMON is enabled and exposed present the highest risk. The fix applies to the mainline Linux kernel; backport availability and timing vary by distribution.
Exploitability
Exploitation requires local access and the ability to write to the DAMON sysfs interface. The attack is straightforward: an unprivileged user simply writes an invalid (non-power-of-two) min_region_sz value through the sysfs API, triggering the kernel to attempt invalid memory operations. No special kernel knowledge, elevated privileges, or race conditions are needed. The barrier to exploitation is low, constrained only by access control on the sysfs interface.
Remediation
Apply the upstream Linux kernel patch that adds is_power_of_2() validation to the damon_start() function. Verify that your kernel version incorporates commit c80f46ac228b or later, and ensure the fix extends to the damon_start() code path, not just damon_commit_ctx(). Consult your Linux distribution's security advisories for backported patches to stable or LTS kernel branches. Temporarily, restrict sysfs write permissions on DAMON interfaces to root-only if practical for your environment.
Patch guidance
Check your kernel version against your Linux distribution's CVE tracking database to confirm patch status. For distributions using mainline tracking (Fedora, openSUSE Tumbleweed), ensure you are running a kernel built after the fix commit. For LTS kernels (Ubuntu, RHEL, Debian stable), wait for your distribution's backport announcement or manually verify the commit is included. The patch is minimal—a single is_power_of_2() check addition—so look for it in kernel release notes or commit logs under mm/damon/core.
Detection guidance
Monitor system logs for DAMON-related errors or kernel crashes triggered by invalid monitoring parameters. Look for BUG_ON or assertion failures in damon_start() or DAMON region allocation code. If DAMON sysfs access is logged or audited, flag attempts to set min_region_sz to non-power-of-two values. Test your deployed kernels by attempting to write invalid min_region_sz values through /sys/kernel/debug/damon/ with an unprivileged user account; if it succeeds and crashes the system, the vulnerability is present.
Why prioritize this
Although rated MEDIUM severity with a CVSS score of 5.5, this vulnerability warrants prompt patching on systems where DAMON is actively used and sysfs interfaces are exposed to multiple users. The low exploitability barrier and direct denial of service impact make it a practical attack vector in shared infrastructure. However, air-gapped systems, single-tenant servers, or environments where DAMON is disabled can safely defer patching. Prioritize systems running Kubernetes clusters, container orchestration platforms, or research computing environments that profile memory behavior.
Risk score, explained
The CVSS 3.1 score of 5.5 (MEDIUM) reflects local attack vector, low privileges required, no user interaction, and availability impact only. The scoring appropriately downrates this from HIGH because it requires local access and affects only system availability, not confidentiality or integrity. The score is neither low nor critical, aligning with its role as a DoS vector that requires deliberate misconfiguration or active exploitation.
Frequently asked questions
Does this affect me if I'm not using DAMON?
No. DAMON is a kernel subsystem for monitoring memory access patterns; it is optional and typically compiled out on systems that don't need fine-grained memory profiling. If you haven't explicitly enabled DAMON kernel configuration or are unsure, this vulnerability does not pose a risk.
Can this be exploited remotely?
No. The vulnerability is strictly local; it requires the attacker to have access to the system and write permissions on the DAMON sysfs interface. Remote exploitation is not possible.
What kernel versions are affected?
Kernels that include DAMON support (approximately Linux 5.16+) and have not yet applied the damon_start() validation patch are affected. Check the Linux kernel release notes and your distribution's CVE advisories to determine your specific version status.
Is there a workaround if I can't patch immediately?
Yes, restrict sysfs access by removing world-writable permissions on /sys/kernel/debug/damon/ or disable the debugfs mount entirely. Ensure that only trusted administrators can configure DAMON monitoring parameters.
This analysis is based on publicly available information current as of the publication date. CVE-2026-52905 carries a CVSS score of 5.5 (MEDIUM) and does not appear on the CISA Known Exploited Vulnerabilities catalog as of the data snapshot. Patch version numbers and specific kernel commit SHAs are provided for reference; verify their availability and applicability with your Linux distribution's official security advisories before deployment. This document is for informational purposes and does not constitute legal or professional security advice. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-9801MEDIUMKeycloak LDAP OutOfMemoryError Denial of Service
- CVE-2026-47329LOWUbuntu Linux AppArmor Notification Validation Flaw
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2025-71315MEDIUMLinux Kernel vkms DRM Vblank Timer Denial of Service
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)