PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46130 Linux CVE debrief

A vulnerability in the Linux kernel's dm-verity-fec (device-mapper verity forward error correction) subsystem could cause out-of-bounds reads from parity block buffers during Reed-Solomon decoding. The issue occurs in `fec_decode_bufs()` when parity bytes for the first RS codeword span across block boundaries—a condition triggered by specific non-default `fec_roots` values combined with low-memory conditions that limit buffer allocation. The vulnerability manifests when certain alignment conditions are met: for example, with `block_size=4096` and `fec_roots=17`, affected buffer counts include 1, 3, 5, and 15. The fix refactors parity block reading to handle split parity bytes correctly. This is a local vulnerability affecting integrity-verified block devices; exploitation requires specific dm-verity FEC configurations and memory pressure conditions.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Organizations running Linux systems with dm-verity FEC enabled for integrity-verified storage, particularly those using non-default FEC configurations or operating under memory constraints; embedded and mobile device manufacturers utilizing dm-verity for verified boot; security teams monitoring kernel memory safety issues

Technical summary

The dm-verity-fec subsystem in the Linux kernel contains an incorrect assumption in `fec_decode_bufs()` that parity bytes for the first RS codeword are never split across parity blocks. When `v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS)` results in parity byte consumption that crosses block boundaries (e.g., 272 bytes with roots=17, nbufs=1, block_size=4096), subsequent decoding operations read beyond allocated parity block buffers. The alignment iterates through 272*i mod 4096; at i=15, only 16 bytes remain in the block but 17 are needed, causing out-of-bounds access. Trigger conditions require specific non-default fec_roots values combined with memory-constrained buffer allocation (nbufs < maximum). Affected configurations: fec_roots=17 with nbufs∈{1,3,5,15}; fec_roots=19 with nbufs∈{1,229}; fec_roots=21 with nbufs∈{1,3,5,13,15,39,65,195}; fec_roots=23 with nbufs∈{1,89}. The fix refactors parity block reading logic to properly handle split parity bytes.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates containing the dm-verity-fec parity block reading refactor when available from your Linux distribution
  • Review systems using dm-verity with FEC (forward error correction) enabled, particularly those with non-default fec_roots values
  • Monitor for kernel stable releases incorporating commits 3d1b4e2d8ac0a1a1390a117f61ce0ca1c47e3bcb and 430a05cb926f6bdf53e81460a2c3a553257f3f61
  • Assess whether dm-verity FEC configurations use affected parameter combinations (fec_roots=17,19,21,23 with constrained buffer counts)
  • Consider disabling dm-verity FEC temporarily on critical systems if patching is delayed and the specific vulnerable configuration is confirmed

Evidence notes

Vulnerability description and technical details sourced from official CVE record and NVD entry. Patch references confirmed via kernel.org stable tree commits. Vendor identification marked low confidence due to 'Unknown Vendor' classification in source data; Linux kernel is the affected product.

Official resources

2026-05-28