CVE Catalog

CVE-2026-46190

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile - higher than 3% of all known CVEs

Summary

A vulnerability has been identified in the Linux kernel that allows for an out-of-bounds read in the spi_nor_params_show() function. The issue arises from incorrect size calculations of an array of pointers, leading to improper bounds checking in the spi_nor_print_flags() function.

Risk Assessment

This vulnerability may lead to unauthorized memory reads, posing a risk of sensitive information disclosure or system instability. Organizations should be aware of the potential threats associated with the exploitation of this flaw.

Recommendation

It is recommended to update the Linux kernel to the latest version where this vulnerability has been fixed. A code audit should also be conducted to ensure that similar errors do not exist in other parts of the system.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Sashiko noticed an out-of-bounds read [1]. In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names). Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers (element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended. Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count. Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS