drm/nouveau: fix u32 overflow in pushbuf reloc bounds check

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-46006
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-27 14:17:18 UTC
Updated2026-06-16 15:25:48 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix u32 overflow in pushbuf reloc bounds check nouveau_gem_pushbuf_reloc_apply() validates each relocation with if (r->reloc_bo_offset + 4 > nvbo->bo.base.size) but reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer literal 4 promotes to unsigned int, so the addition is performed in 32 bits and wraps before the comparison against the size_t bo size. Cast to u64 so the addition happens in 64-bit arithmetic. [ Add Fixes: tag. - Danilo ]

Risk And Classification

Primary CVSS: v3.1 7.8 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.000130000 probability, percentile 0.024910000 (date 2026-06-04)

Problem Types: CWE-787

VersionSourceTypeScoreSeverityVector
3.1416baaa9-dc9f-4396-8d5f-8c081fb06d67Secondary7.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
3.1CNADECLARED7.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected a1606a9596e54da90ad6209071b357a4c1b0fa82 573a1104bd36e49c067a9dc62e7c476d5ee7e92a git Not specified
CNA Linux Linux affected a1606a9596e54da90ad6209071b357a4c1b0fa82 45a45184b9c0b0b26ead06e370cda2073616a7cc git Not specified
CNA Linux Linux affected a1606a9596e54da90ad6209071b357a4c1b0fa82 fa297e919d1680c38ab268ff952b1698dac987f6 git Not specified
CNA Linux Linux affected a1606a9596e54da90ad6209071b357a4c1b0fa82 d749a9a0ee4014681487e7ae549901aa8c176637 git Not specified
CNA Linux Linux affected a1606a9596e54da90ad6209071b357a4c1b0fa82 332884f5eb79dd60a7162b079d09d39208567a31 git Not specified
CNA Linux Linux affected a1606a9596e54da90ad6209071b357a4c1b0fa82 e441d5c23ec644c8d27593db3b8928e8933512a9 git Not specified
CNA Linux Linux affected a1606a9596e54da90ad6209071b357a4c1b0fa82 2fc87d37be1b730a149b035f9375fdb8cc5333a5 git Not specified
CNA Linux Linux affected 2.6.34 Not specified
CNA Linux Linux unaffected 2.6.34 semver Not specified
CNA Linux Linux unaffected 5.15.209 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.175 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.140 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.86 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.27 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.4 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/332884f5eb79dd60a7162b079d09d39208567a31 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/fa297e919d1680c38ab268ff952b1698dac987f6 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/2fc87d37be1b730a149b035f9375fdb8cc5333a5 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/e441d5c23ec644c8d27593db3b8928e8933512a9 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/45a45184b9c0b0b26ead06e370cda2073616a7cc 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/d749a9a0ee4014681487e7ae549901aa8c176637 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/573a1104bd36e49c067a9dc62e7c476d5ee7e92a 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report