mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

CVE	CVE-2026-46190
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-28 10:16:34 UTC
Updated	2026-05-30 11:17:25 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Sashiko noticed an out-of-bounds read [1]. In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names). Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers (element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended. Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count. Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.

Primary CVSS: v3.1 7.1 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS: 0.000180000 probability, percentile 0.051640000 (date 2026-05-29)

Version	Source	Type	Score	Severity	Vector
3.1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	Secondary	7.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H`
3.1	CNA	DECLARED	7.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H`

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 0257be79fc4a16a3252ce80aa13b3640f728c425 9a80c458320e0514e11945402dd6e48fcee05524 git	Not specified
CNA	Linux	Linux	affected 0257be79fc4a16a3252ce80aa13b3640f728c425 ca18c180b053f6ce80394322b314ac721c316af7 git	Not specified
CNA	Linux	Linux	affected 0257be79fc4a16a3252ce80aa13b3640f728c425 34bdcfb496b29f9a52431194f94473b37fb8c162 git	Not specified
CNA	Linux	Linux	affected 0257be79fc4a16a3252ce80aa13b3640f728c425 c0b654bc0b76a1da102d9138be1ed1223bd99310 git	Not specified
CNA	Linux	Linux	affected 0257be79fc4a16a3252ce80aa13b3640f728c425 e47029b977e747cb3a9174308fd55762cce70147 git	Not specified
CNA	Linux	Linux	affected 5.19	Not specified
CNA	Linux	Linux	unaffected 5.19 semver	Not specified
CNA	Linux	Linux	unaffected 6.6.140 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.88 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.30 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.7 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1-rc2 * original_commit_for_fix	Not specified

Reference	Source	Link	Tags
git.kernel.org/stable/c/9a80c458320e0514e11945402dd6e48fcee05524	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/e47029b977e747cb3a9174308fd55762cce70147	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/34bdcfb496b29f9a52431194f94473b37fb8c162	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/ca18c180b053f6ce80394322b314ac721c316af7	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/c0b654bc0b76a1da102d9138be1ed1223bd99310	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.