CVE Catalog

CVE-2026-46070

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile - higher than 3% of all known CVEs

Summary

A vulnerability has been identified in the Linux kernel regarding the validation of payload size before accessing journal metadata in RAID5. The functions r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb() do not validate payload sizes, which can lead to out-of-bounds reads.

Risk Assessment

A maliciously modified journal may lead to out-of-bounds reads, posing a risk to data integrity and potential information leakage. Organizations should be aware that this vulnerability may impact the stability and security of systems using RAID5.

Recommendation

It is recommended to update the Linux kernel to the latest version that includes fixes for this vulnerability. Additionally, conducting an audit of the RAID5 configuration is advisable to ensure there are no other potential metadata issues.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: md/raid5: validate payload size before accessing journal metadata r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb() iterate over payloads in a journal metadata block using on-disk payload size fields without validating them against the remaining space in the metadata block. A corrupted journal contains payload sizes extending beyond the PAGE_SIZE boundary can cause out-of-bounds reads when accessing payload fields or computing offsets. Add bounds validation for each payload type to ensure the full payload fits within meta_size before processing.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS