FKIE_CVE-2026-45990

Vulnerability from fkie_nvd - Published: 2026-05-27 14:17 - Updated: 2026-05-27 14:48
Severity
Summary
In the Linux kernel, the following vulnerability has been resolved: slub: fix data loss and overflow in krealloc() Commit 2cd8231796b5 ("mm/slub: allow to set node and align in k[v]realloc") introduced the ability to force a reallocation if the original object does not satisfy new alignment or NUMA node, even when the object is being shrunk. This introduced two bugs in the reallocation fallback path: 1. Data loss during NUMA migration: The jump to 'alloc_new' happens before 'ks' and 'orig_size' are initialized. As a result, the memcpy() in the 'alloc_new' block would copy 0 bytes into the new allocation. 2. Buffer overflow during shrinking: When shrinking an object while forcing a new alignment, 'new_size' is smaller than the old size. However, the memcpy() used the old size ('orig_size ?: ks'), leading to an out-of-bounds write. The same overflow bug exists in the kvrealloc() fallback path, where the old bucket size ksize(p) is copied into the new buffer without being bounded by the new size. A simple reproducer: // e.g. add to lkdtm as KREALLOC_SHRINK_OVERFLOW while (1) { void *p = kmalloc(128, GFP_KERNEL); p = krealloc_node_align(p, 64, 256, GFP_KERNEL, NUMA_NO_NODE); kfree(p); } demonstrates the issue: ================================================================== BUG: KFENCE: out-of-bounds write in memcpy_orig+0x68/0x130 Out-of-bounds write at 0xffff8883ad757038 (120B right of kfence-#47): memcpy_orig+0x68/0x130 krealloc_node_align_noprof+0x1c8/0x340 lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm] lkdtm_do_action+0x3a/0x60 [lkdtm] ... kfence-#47: 0xffff8883ad756fc0-0xffff8883ad756fff, size=64, cache=kmalloc-64 allocated by task 316 on cpu 7 at 97.680481s (0.021813s ago): krealloc_node_align_noprof+0x19c/0x340 lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm] lkdtm_do_action+0x3a/0x60 [lkdtm] ... ================================================================== Fix it by moving the old size calculation to the top of __do_krealloc() and bounding all copy lengths by the new allocation size.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/082a6d03a2d685a83a332666b500ad3966349588
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/38387ccc0fbe38d14fb4c2ad7ee1d7404e5e59fd
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/550fa6b5aabb096554536ac1e3ec96b76cbb35fd
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nslub: fix data loss and overflow in krealloc()\n\nCommit 2cd8231796b5 (\"mm/slub: allow to set node and align in\nk[v]realloc\") introduced the ability to force a reallocation if the\noriginal object does not satisfy new alignment or NUMA node, even when\nthe object is being shrunk.\n\nThis introduced two bugs in the reallocation fallback path:\n\n1. Data loss during NUMA migration: The jump to \u0027alloc_new\u0027 happens\n   before \u0027ks\u0027 and \u0027orig_size\u0027 are initialized. As a result, the\n   memcpy() in the \u0027alloc_new\u0027 block would copy 0 bytes into the new\n   allocation.\n\n2. Buffer overflow during shrinking: When shrinking an object while\n   forcing a new alignment, \u0027new_size\u0027 is smaller than the old size.\n   However, the memcpy() used the old size (\u0027orig_size ?: ks\u0027), leading\n   to an out-of-bounds write.\n\nThe same overflow bug exists in the kvrealloc() fallback path, where the\nold bucket size ksize(p) is copied into the new buffer without being\nbounded by the new size.\n\nA simple reproducer:\n\n\t// e.g. add to lkdtm as KREALLOC_SHRINK_OVERFLOW\n\twhile (1) {\n\t\tvoid *p = kmalloc(128, GFP_KERNEL);\n\t\tp = krealloc_node_align(p, 64, 256, GFP_KERNEL, NUMA_NO_NODE);\n\t\tkfree(p);\n\t}\n\ndemonstrates the issue:\n\n  ==================================================================\n  BUG: KFENCE: out-of-bounds write in memcpy_orig+0x68/0x130\n\n  Out-of-bounds write at 0xffff8883ad757038 (120B right of kfence-#47):\n   memcpy_orig+0x68/0x130\n   krealloc_node_align_noprof+0x1c8/0x340\n   lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm]\n   lkdtm_do_action+0x3a/0x60 [lkdtm]\n   ...\n\n  kfence-#47: 0xffff8883ad756fc0-0xffff8883ad756fff, size=64, cache=kmalloc-64\n\n  allocated by task 316 on cpu 7 at 97.680481s (0.021813s ago):\n   krealloc_node_align_noprof+0x19c/0x340\n   lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm]\n   lkdtm_do_action+0x3a/0x60 [lkdtm]\n   ...\n  ==================================================================\n\nFix it by moving the old size calculation to the top of __do_krealloc()\nand bounding all copy lengths by the new allocation size."
    }
  ],
  "id": "CVE-2026-45990",
  "lastModified": "2026-05-27T14:48:03.013",
  "metrics": {},
  "published": "2026-05-27T14:17:16.527",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/082a6d03a2d685a83a332666b500ad3966349588"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/38387ccc0fbe38d14fb4c2ad7ee1d7404e5e59fd"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/550fa6b5aabb096554536ac1e3ec96b76cbb35fd"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.