CVE-2026-53059

MEDIUM

Linux - Out-of-Bounds Access

Title source: rule
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: dm log: fix out-of-bounds write due to region_count overflow The local variable region_count in create_log_context() is declared as unsigned int (32-bit), but dm_sector_div_up() returns sector_t (64-bit). When a device-mapper target has a sufficiently large ti->len with a small region_size, the division result can exceed UINT_MAX. The truncated value is then used to calculate bitset_size, causing clean_bits, sync_bits, and recovering_bits to be allocated far smaller than needed for the actual number of regions. Subsequent log operations (log_set_bit, log_clear_bit, log_test_bit) use region indices derived from the full untruncated region space, causing out-of-bounds writes to kernel heap memory allocated by vmalloc. This can be reproduced by creating a mirror target whose region_count overflows 32 bits: dmsetup create bigzero --table '0 8589934594 zero' dmsetup create mymirror --table '0 8589934594 mirror \ core 2 2 nosync 2 /dev/mapper/bigzero 0 \ /dev/mapper/bigzero 0' The status output confirms the truncation (sync_count=1 instead of 4294967297, because 0x100000001 was truncated to 1): $ dmsetup status mymirror 0 8589934594 mirror 2 254:1 254:1 1/4294967297 ... This leads to a kernel crash in core_in_sync: BUG: scheduling while atomic: (udev-worker)/9150/0x00000000 RIP: 0010:core_in_sync+0x14/0x30 [dm_log] CR2: 0000000000000008 Fixing recursive fault but reboot is needed! Fix by widening the local region_count to sector_t and adding an explicit overflow check before the value is assigned to lc->region_count.

Scores

CVSS v3 6.3
EPSS 0.0013
EPSS Percentile 2.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H

Details

CWE
CWE-190
Status published
Products (25)
linux/Kernel 2.6.12 - 5.10.258linux
linux/Kernel 5.11.0 - 5.15.209linux
linux/Kernel 5.16.0 - 6.1.175linux
linux/Kernel 6.13.0 - 6.18.33linux
linux/Kernel 6.19.0 - 7.0.10linux
linux/Kernel 6.2.0 - 6.6.141linux
linux/Kernel 6.7.0 - 6.12.91linux
Linux/Linux < 2.6.12
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 12bd5b88e91a02785244ff1d20fb157e96e9cdc8
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 3ec74da927b4e171a6fc0e77b1188ba4d019af51
... and 15 more
Published Jun 24, 2026
Tracked Since Jun 24, 2026