CVE-2026-46067

Source
https://cve.org/CVERecord?id=CVE-2026-46067
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46067.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-46067
Downstream
Related
Published
2026-05-27T12:57:45.648Z
Modified
2026-06-26T11:56:59.312380565Z
Summary
mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: validate damosquotagoal->nid for nodememcg{used,free}_bp

Users can set damosquotagoal->nid with arbitrary value for nodememcg{used,free}_bp. But DAMON core is using those for NODE-DATA() without a validation of the value. This can result in out of bounds memory access. The issue can actually triggered using DAMON user-space tool (damo), like below.

$ sudo mkdir /sys/fs/cgroup/foo
$ sudo ./damo start --damos_action stat --damos_quota_interval 1s \
        --damos_quota_goal node_memcg_used_bp 50% -1 /foo
$ sudo dmseg
[...]
[  524.181426] Unable to handle kernel paging request at virtual address 0000000000002c00

Fix this issue by adding the validation of the given node id. If an invalid node id is given, it returns 0% for used memory ratio, and 100% for free memory ratio.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46067.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b74a120bcf50787e5b9a2c3dcff999f9836ce1db
Fixed
da10db73ada26345244ea5dc52f974692bd05f66
Fixed
a34dac6482e53e2c76944f25b1489b9b7da3a6e6

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46067.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46067.json"