PatchSiren cyber security CVE debrief
CVE-2026-23474 Linux CVE debrief
A buffer overflow vulnerability exists in the Linux kernel's RedBoot partition table parser within the MTD (Memory Technology Device) subsystem. The flaw occurs when parsing partition names where a memcmp() operation reads beyond the bounds of a dynamically allocated buffer. When CONFIG_FORTIFY_SOURCE is enabled with a recent compiler, this triggers a detected buffer overflow warning and kernel oops during boot. The vulnerability stems from calculating allocation size with strlen() but using memcmp() with a potentially larger comparison length. The fix replaces memcmp() with strcmp() to remain within bounds. This affects local attack vectors where an attacker with low privileges could potentially cause denial of service through crafted partition table data.
- Vendor
- Linux
- Product
- Unknown
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-03
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-04-03
- Advisory updated
- 2026-05-26
Who should care
Embedded Linux developers, IoT device manufacturers, industrial control system operators, and organizations running Linux on hardware with RedBoot firmware and MTD flash storage. Particularly relevant for systems where local attackers may have low-privilege access to partition table data.
Technical summary
The vulnerability exists in drivers/mtd/parsers/redboot.c where partition name comparison uses memcmp() with a length derived from namelen field without proper bounds validation against the actual allocation size. The allocation uses strlen() on the source name, but namelen in the partition table could exceed this. With CONFIG_FORTIFY_SOURCE=y and modern compilers using __builtin_dynamic_object_size(), the out-of-bounds read is detected and triggers a kernel warning/oops. The fix replaces memcmp() with strcmp() which naturally terminates at null bytes, respecting allocation boundaries. Affected systems include embedded devices using RedBoot firmware with MTD flash storage, particularly those with CONFIG_MTD_REDBOOT_PARTS enabled.
Defensive priority
medium
Recommended defensive actions
- Apply kernel patches from stable branches: 5.10.253+, 5.15.203+, 6.1.167+, 6.6.130+, 6.12.78+, 6.18.20+, or 6.19.10+
- Verify kernel configuration does not disable FORTIFY_SOURCE protections
- Monitor boot logs for RedBoot partition parsing warnings on embedded/MTD systems
- Review custom MTD partition table implementations for similar boundary issues
- Prioritize patching on systems using RedBoot firmware with MTD flash storage
Evidence notes
CVE description confirms buffer overflow in RedBoot partition table parser with FORTIFY_SOURCE detection. CVSS 5.5 (MEDIUM) with AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H vector indicates local attack, low complexity, low privileges required, no user interaction, with high availability impact. Multiple stable kernel patches provided across affected versions. NVD CPE criteria specify vulnerable version ranges from 2.6.12 through 6.19.9, with specific exclusions for patched versions.
Official resources
-
CVE-2026-23474 CVE record
CVE.org
-
CVE-2026-23474 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
2026-04-03T16:16:35.260Z