CVE-2026-46020 Linux CVE debrief

Who should care

Linux system administrators, kernel maintainers, and security teams managing systems with DAMON enabled; particularly relevant for environments using memory monitoring and optimization features in production workloads

Technical summary

The DAMON (Data Access MONitor) subsystem in the Linux kernel fails to validate the `nid` (node ID) field in `damos_quota_goal` structures when processing `node_mem_{used,free}_bp` quota goals. This field is used directly in calls to `si_meminfo_node()` and `NODE_DATA()` without bounds checking. A privileged attacker can trigger the vulnerability by configuring DAMON through the DAMON_SYSFS interface with an invalid node ID (e.g., -1), causing the kernel to dereference a NULL pointer at offset 0x98. The vulnerability is exploitable locally with root privileges using the `damo` user-space tool. The fix implements proper node ID validation, returning 0% for used memory and 100% for free memory when an invalid node is specified, preventing the out-of-bounds access.

Defensive priority

medium

Recommended defensive actions

• Apply the referenced kernel patches (commits 40250b2dded0604a112be605f3828700d80ad7c2, b09958e235f2b9cd3898b85a8529172afa80d212, bcad74078708f2330a45b55358ebc38f8f4b1127) to affected systems
• Restrict access to DAMON_SYSFS and damo tooling to trusted administrative users only
• Monitor for suspicious DAMON configuration attempts with invalid node IDs in system logs
• Upgrade to kernel versions containing the validated fix when available through distribution channels

Evidence notes

The CVE description confirms the vulnerability was resolved via kernel patches. The issue was originally reported by another author who subsequently stopped working on the fix; the current patch series restarts that effort. The vulnerability requires privileged access (sudo/damo) to trigger. Three kernel.org stable commits are referenced as fixes.

Official resources