PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46294 Linux CVE debrief

CVE-2026-46294 is a buffer overflow vulnerability in the Linux kernel's device mapper (dm) subsystem. The vulnerability exists in the `retrieve_status` function of `dm-ioctl`. An attacker can cause a buffer overflow by exploiting an alignment feature. However, this vulnerability has no security implications as only root can issue device mapper ioctls and commonly used libraries communicate with device mapper using buffer sizes aligned to 8 bytes.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-08
Original CVE updated
2026-06-08
Advisory published
2026-06-08
Advisory updated
2026-06-08

Who should care

Linux kernel developers and maintainers, Linux distribution vendors, and users of Linux-based systems.

Technical summary

The buffer overflow occurs in the `retrieve_status` function of `dm-ioctl`. The function checks if the output string fits into the output buffer, writes the output string, aligns the `outptr` variable to the next 8-byte boundary, and then iterates a loop that writes more data past the end of the buffer. However, due to the constraints that only root can issue device mapper ioctls and commonly used libraries use buffer sizes aligned to 8 bytes, this vulnerability has no practical security implications.

Defensive priority

Low

Recommended defensive actions

  • Apply kernel patches that fix the buffer overflow vulnerability (see resourceLinkAnnotations: ref-4, ref-5, ref-6, ref-7, ref-8, ref-9, ref-10)
  • Restrict access to device mapper ioctls to only root users

Evidence notes

The vulnerability was resolved in various kernel commits (see resourceLinkAnnotations: ref-4, ref-5, ref-6, ref-7, ref-8, ref-9, ref-10).

Official resources

public