In the Linux kernel, the following vulnerability has been resolved:
md/raid5: validate payload size before accessing journal metadata
r5crecoveryanalyzemetablock() and r5lrecoveryverifydatachecksumformb() iterate over payloads in a journal metadata block using on-disk payload size fields without validating them against the remaining space in the metadata block.
A corrupted journal contains payload sizes extending beyond the PAGE_SIZE boundary can cause out-of-bounds reads when accessing payload fields or computing offsets.
Add bounds validation for each payload type to ensure the full payload fits within meta_size before processing.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46070.json",
"cna_assigner": "Linux"
}