{"api_version":"1","generated_at":"2026-06-03T11:06:10+00:00","cve":"CVE-2026-46130","urls":{"html":"https://cve.report/CVE-2026-46130","api":"https://cve.report/api/cve/CVE-2026-46130.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-46130","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-46130"},"summary":{"title":"dm-verity-fec: fix reading parity bytes split across blocks (take 3)","description":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm-verity-fec: fix reading parity bytes split across blocks (take 3)\n\nfec_decode_bufs() assumes that the parity bytes of the first RS codeword\nit decodes are never split across parity blocks.\n\nThis assumption is false.  Consider v->fec->block_size == 4096 &&\nv->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each\ncall to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs <<\nDM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.\n\nConsidering that the parity data for each message block starts on a\nblock boundary, the byte alignment in the parity data will iterate\nthrough 272*i mod 4096 until the 3 parity blocks have been consumed.  On\nthe 16th call (i=15), the alignment will be 4080 bytes into the first\nblock.  Only 16 bytes remain in that block, but 17 parity bytes will be\nneeded.  The code reads out-of-bounds from the parity block buffer.\n\nFortunately this doesn't normally happen, since it can occur only for\ncertain non-default values of fec_roots *and* when the maximum number of\nbuffers couldn't be allocated due to low memory.  For example with\nblock_size=4096 only the following cases are affected:\n\n    fec_roots=17: nbufs in [1, 3, 5, 15]\n    fec_roots=19: nbufs in [1, 229]\n    fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]\n    fec_roots=23: nbufs in [1, 89]\n\nRegardless, fix it by refactoring how the parity blocks are read.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-28 10:16:28","updated_at":"2026-05-28 13:44:01"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/430a05cb926f6bdf53e81460a2c3a553257f3f61","name":"https://git.kernel.org/stable/c/430a05cb926f6bdf53e81460a2c3a553257f3f61","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/3d1b4e2d8ac0a1a1390a117f61ce0ca1c47e3bcb","name":"https://git.kernel.org/stable/c/3d1b4e2d8ac0a1a1390a117f61ce0ca1c47e3bcb","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-46130","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46130","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6df90c02bae468a3a6110bafbc659884d0c4966c 3d1b4e2d8ac0a1a1390a117f61ce0ca1c47e3bcb git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6df90c02bae468a3a6110bafbc659884d0c4966c 430a05cb926f6bdf53e81460a2c3a553257f3f61 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6bc6ee31113b05db605694491bdeb2b1730142f1 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 12caa73a28f0ae147ec0356b45091edf2462462b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected fc8943886629e26de34867db302c74d465510826 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.1.125 6.2 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.6.72 6.7 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.12.10 6.13 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.13","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.13 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.7 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1-rc1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"46130","cve":"CVE-2026-46130","epss":"0.000180000","percentile":"0.051730000","score_date":"2026-06-02","updated_at":"2026-06-03 00:08:17"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/md/dm-verity-fec.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"3d1b4e2d8ac0a1a1390a117f61ce0ca1c47e3bcb","status":"affected","version":"6df90c02bae468a3a6110bafbc659884d0c4966c","versionType":"git"},{"lessThan":"430a05cb926f6bdf53e81460a2c3a553257f3f61","status":"affected","version":"6df90c02bae468a3a6110bafbc659884d0c4966c","versionType":"git"},{"status":"affected","version":"6bc6ee31113b05db605694491bdeb2b1730142f1","versionType":"git"},{"status":"affected","version":"12caa73a28f0ae147ec0356b45091edf2462462b","versionType":"git"},{"status":"affected","version":"fc8943886629e26de34867db302c74d465510826","versionType":"git"},{"lessThan":"6.2","status":"affected","version":"6.1.125","versionType":"semver"},{"lessThan":"6.7","status":"affected","version":"6.6.72","versionType":"semver"},{"lessThan":"6.13","status":"affected","version":"6.12.10","versionType":"semver"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/md/dm-verity-fec.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.13"},{"lessThan":"6.13","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.7","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1-rc1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.7","versionStartIncluding":"6.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1-rc1","versionStartIncluding":"6.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.125","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.72","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.10","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm-verity-fec: fix reading parity bytes split across blocks (take 3)\n\nfec_decode_bufs() assumes that the parity bytes of the first RS codeword\nit decodes are never split across parity blocks.\n\nThis assumption is false.  Consider v->fec->block_size == 4096 &&\nv->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each\ncall to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs <<\nDM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.\n\nConsidering that the parity data for each message block starts on a\nblock boundary, the byte alignment in the parity data will iterate\nthrough 272*i mod 4096 until the 3 parity blocks have been consumed.  On\nthe 16th call (i=15), the alignment will be 4080 bytes into the first\nblock.  Only 16 bytes remain in that block, but 17 parity bytes will be\nneeded.  The code reads out-of-bounds from the parity block buffer.\n\nFortunately this doesn't normally happen, since it can occur only for\ncertain non-default values of fec_roots *and* when the maximum number of\nbuffers couldn't be allocated due to low memory.  For example with\nblock_size=4096 only the following cases are affected:\n\n    fec_roots=17: nbufs in [1, 3, 5, 15]\n    fec_roots=19: nbufs in [1, 229]\n    fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]\n    fec_roots=23: nbufs in [1, 89]\n\nRegardless, fix it by refactoring how the parity blocks are read."}],"providerMetadata":{"dateUpdated":"2026-05-28T09:35:45.387Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/3d1b4e2d8ac0a1a1390a117f61ce0ca1c47e3bcb"},{"url":"https://git.kernel.org/stable/c/430a05cb926f6bdf53e81460a2c3a553257f3f61"}],"title":"dm-verity-fec: fix reading parity bytes split across blocks (take 3)","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-46130","datePublished":"2026-05-28T09:35:45.387Z","dateReserved":"2026-05-13T15:03:33.099Z","dateUpdated":"2026-05-28T09:35:45.387Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-28 10:16:28","lastModifiedDate":"2026-05-28 13:44:01","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"46130","Ordinal":"1","Title":"dm-verity-fec: fix reading parity bytes split across blocks (tak","CVE":"CVE-2026-46130","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"46130","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm-verity-fec: fix reading parity bytes split across blocks (take 3)\n\nfec_decode_bufs() assumes that the parity bytes of the first RS codeword\nit decodes are never split across parity blocks.\n\nThis assumption is false.  Consider v->fec->block_size == 4096 &&\nv->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each\ncall to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs <<\nDM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.\n\nConsidering that the parity data for each message block starts on a\nblock boundary, the byte alignment in the parity data will iterate\nthrough 272*i mod 4096 until the 3 parity blocks have been consumed.  On\nthe 16th call (i=15), the alignment will be 4080 bytes into the first\nblock.  Only 16 bytes remain in that block, but 17 parity bytes will be\nneeded.  The code reads out-of-bounds from the parity block buffer.\n\nFortunately this doesn't normally happen, since it can occur only for\ncertain non-default values of fec_roots *and* when the maximum number of\nbuffers couldn't be allocated due to low memory.  For example with\nblock_size=4096 only the following cases are affected:\n\n    fec_roots=17: nbufs in [1, 3, 5, 15]\n    fec_roots=19: nbufs in [1, 229]\n    fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]\n    fec_roots=23: nbufs in [1, 89]\n\nRegardless, fix it by refactoring how the parity blocks are read.","Type":"Description","Title":"dm-verity-fec: fix reading parity bytes split across blocks (tak"}]}}}