PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46067 Linux CVE debrief

A vulnerability in the Linux kernel's DAMON (Data Access MONitor) subsystem allowed out-of-bounds memory access due to insufficient validation of the `damos_quota_goal->nid` (node ID) field. The DAMON core used this user-supplied value directly in `NODE-DATA()` macro calls for `node_memcg_used_bp` and `node_memcg_free_bp` quota goal types without bounds checking. An attacker with local access and privileges to configure DAMON (via `damo` or similar tools) could trigger a kernel paging request fault by supplying an invalid node ID, potentially leading to denial of service. The fix adds validation to return safe default values (0% used, 100% free) when an invalid node ID is provided.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux system administrators running kernels with DAMON enabled; security teams monitoring for local privilege escalation or denial-of-service vectors; kernel developers and maintainers of memory management subsystems; organizations using DAMON for memory optimization in production environments

Technical summary

The DAMON (Data Access MONitor) subsystem in the Linux kernel provides memory access monitoring and optimization capabilities. The quota goal feature allows users to configure memory management policies based on memory usage ratios. Two specific quota goal types—`node_memcg_used_bp` and `node_memcg_free_bp`—calculate used and free memory percentages for specific NUMA nodes and memory cgroups. The vulnerability existed because the `nid` (node ID) field in `struct damos_quota_goal` was not validated before being passed to the `NODE-DATA()` macro, which performs array indexing into kernel data structures. An invalid node ID would cause an out-of-bounds read, triggering a kernel paging request fault. The fix implements bounds checking: if the provided node ID is invalid (exceeds available NUMA nodes), the functions return safe defaults (0% for used memory, 100% for free memory) rather than dereferencing invalid memory.

Defensive priority

medium

Recommended defensive actions

  • Apply the referenced kernel patches (commits a34dac6482e53e2c76944f25b1489b9b7da3a6e6 and da10db73ada26345244ea5dc52f974692bd05f66) to validate damos_quota_goal->nid before use in NODE-DATA() macro calls
  • Upgrade to kernel versions containing the fix once available from your distribution
  • Restrict access to DAMON configuration interfaces (/sys/kernel/mm/damon and damo tool) to trusted administrative users only
  • Monitor for unexpected kernel paging request faults in dmesg logs that may indicate exploitation attempts
  • Review DAMON quota goal configurations for invalid node ID values in environments where DAMON is actively used

Evidence notes

The CVE description confirms the vulnerability was resolved in the Linux kernel. Two kernel.org commits are referenced as fixes. The issue was reproducible using the `damo` userspace tool with specific command-line arguments targeting cgroup memory monitoring. The crash manifested as 'Unable to handle kernel paging request at virtual address 0000000000002c00' in dmesg output.

Official resources

2026-05-27