CVE-2026-45990 Linux CVE debrief

Who should care

Linux kernel maintainers, distribution security teams, organizations running custom kernel builds, and security researchers tracking kernel memory safety issues

Technical summary

The vulnerability exists in mm/slub.c in the Linux kernel's __do_krealloc() function. When forced reallocation occurs due to alignment or NUMA node mismatches, two code paths fail to properly handle size calculations. In the NUMA migration path, jumping to 'alloc_new' before initializing 'ks' and 'orig_size' results in memcpy() copying zero bytes, causing silent data loss. In the shrinking path with forced alignment, memcpy() uses the original object size rather than new_size, writing beyond the allocated buffer. The kvrealloc() function shares the same overflow bug in its fallback path. The fix moves size calculation to function entry and applies min() bounding to all copy operations.

Defensive priority

high

Recommended defensive actions

• Apply kernel patches from stable branches when available for your distribution
• Monitor kernel security advisories from your Linux distribution for updated packages
• If running custom kernel builds, cherry-pick fix commits to affected branches
• Enable KFENCE or similar kernel memory safety detectors to detect exploitation attempts
• Review code using krealloc_node_align() with shrinking size parameters and forced alignment
• Audit kvrealloc() usage patterns that may trigger the fallback reallocation path

Evidence notes

Vulnerability introduced in commit 2cd8231796b5 (mm/slub: allow to set node and align in k[v]realloc). Fix commits provided for stable kernel branches. KFENCE detection confirms out-of-bounds write of 120 bytes past 64-byte allocation when shrinking from 128 bytes with 256-byte alignment. Affects krealloc_node_align_noprof and kvrealloc fallback paths.

Official resources