Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-46130— dm-verity-fec: fix reading parity bytes split across blocks (take 3)

AI Predicted 4.4 Difficulty: Hard EPSS 0.02% · P5

Possible ATT&CK Techniques 1AI

T1190 · Exploit Public-Facing Application

Affected Version Matrix 12

VendorProductVersion RangeStatus
LinuxLinux6df90c02bae468a3a6110bafbc659884d0c4966c< 3d1b4e2d8ac0a1a1390a117f61ce0ca1c47e3bcbaffected
6df90c02bae468a3a6110bafbc659884d0c4966c< 430a05cb926f6bdf53e81460a2c3a553257f3f61affected
6bc6ee31113b05db605694491bdeb2b1730142f1affected
12caa73a28f0ae147ec0356b45091edf2462462baffected
fc8943886629e26de34867db302c74d465510826affected
6.1.125< 6.2affected
6.6.72< 6.7affected
6.12.10< 6.13affected
… +4 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-46130

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
dm-verity-fec: fix reading parity bytes split across blocks (take 3)
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: dm-verity-fec: fix reading parity bytes split across blocks (take 3) fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks. This assumption is false. Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example. In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes. Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed. On the 16th call (i=15), the alignment will be 4080 bytes into the first block. Only 16 bytes remain in that block, but 17 parity bytes will be needed. The code reads out-of-bounds from the parity block buffer. Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory. For example with block_size=4096 only the following cases are affected: fec_roots=17: nbufs in [1, 3, 5, 15] fec_roots=19: nbufs in [1, 229] fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195] fec_roots=23: nbufs in [1, 89] Regardless, fix it by refactoring how the parity blocks are read.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于dm-verity-fec中fec_decode_bufs()假设奇偶校验字节不跨块分割,可能导致越界读取。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 6df90c02bae468a3a6110bafbc659884d0c4966c ~ 3d1b4e2d8ac0a1a1390a117f61ce0ca1c47e3bcb -
LinuxLinux 6.13 -

II. Public POCs for CVE-2026-46130

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-46130

登录查看更多情报信息。

Patches & Fixes for CVE-2026-46130 (1)

Same Patch Batch · Linux · 2026-05-28 · 138 CVEs total

CVE-2026-461379.8 CRITICALmptcp: pm: ADD_ADDR rtx: fix potential data-race
CVE-2026-461959.8 CRITICALsmb: client: validate dacloffset before building DACL pointers
CVE-2026-461159.8 CRITICALblock: add pgmap check to biovec_phys_mergeable
CVE-2026-461359.8 CRITICALnvmet-tcp: fix race between ICReq handling and queue teardown
CVE-2026-461859.1 CRITICALsmb/client: fix out-of-bounds read in symlink_data()
CVE-2026-461199.1 CRITICALlibceph: Fix slab-out-of-bounds access in auth message processing
CVE-2026-461559.1 CRITICALsmb/client: fix out-of-bounds read in smb2_compound_op()
CVE-2026-461668.8 HIGHwifi: mac80211: use safe list iteration in radar detect work
CVE-2026-461258.8 HIGHwifi: mac80211: remove station if connection prep fails
CVE-2026-461748.8 HIGHx86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache
CVE-2026-461988.8 HIGHbatman-adv: fix integer overflow on buff_pos
CVE-2026-462388.8 HIGHbatman-adv: stop caching unowned originator pointers in BAT IV
CVE-2026-461138.8 HIGHKVM: x86: Fix shadow paging use-after-free due to unexpected GFN
CVE-2026-461528.8 HIGHwifi: mac80211: drop stray 'static' from fast-RX rx_result
CVE-2026-462128.8 HIGHbatman-adv: bla: prevent use-after-free when deleting claims
CVE-2026-461388.1 HIGHBluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
CVE-2026-462328.1 HIGHHID: playstation: Clamp num_touch_reports
CVE-2026-461457.8 HIGHRDMA/mana: Validate rx_hash_key_len
CVE-2026-461767.8 HIGHRDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
CVE-2026-461977.8 HIGHdrm/amdkfd: validate SVM ioctl nattr against buffer size

Showing top 20 of 138 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-46130

No comments yet

Leave a comment