PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46281 Linux CVE debrief

A buffer overflow vulnerability exists in the Linux kernel's vmalloc function, specifically in the vrealloc_node_align function. This function is used to reallocate memory and can lead to an out-of-bounds write if the requested size is smaller than the original size. The vulnerability was introduced by a commit that allowed forcing a new allocation if the current pointer is on the wrong NUMA node or if an alignment constraint is not met, even if the user is shrinking the allocation.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-08
Original CVE updated
2026-06-08
Advisory published
2026-06-08
Advisory updated
2026-06-08

Who should care

Linux kernel developers and users who rely on the vmalloc function should be aware of this vulnerability. This vulnerability may allow an attacker to escalate privileges or cause a denial of service.

Technical summary

The vrealloc_node_align function in the Linux kernel's vmalloc module has a buffer overflow vulnerability. When the function is called with a size smaller than the original size, it can lead to an out-of-bounds write. This is because the function allocates a new buffer of 'size' bytes and then copies 'old_size' bytes into it, where 'old_size' is the original size of the buffer.

Defensive priority

High

Recommended defensive actions

  • Apply the patch from the Linux kernel repository [ref-4](https://git.kernel.org/stable/c/82d1f01292d3f09bf063f829f8ab8de12b4280a1), [ref-5](https://git.kernel.org/stable/c/b281adf71f786c325eb6d6d1582d4d05313438a8), or [c

Evidence notes

The Linux kernel repository has patches available to fix this vulnerability.

Official resources

CVE-2026-46281 was published on 2026-06-08T17:16:45.817Z.