CVE-2026-46067 Overview
CVE-2026-46067 is an out-of-bounds memory access vulnerability in the Linux kernel's Data Access Monitor (DAMON) subsystem. The flaw resides in mm/damon/core where the kernel fails to validate the damos_quota_goal->nid field supplied by user space. When a user specifies an arbitrary node ID for the node_memcg_used_bp or node_memcg_free_bp quota goal metrics, DAMON passes the value directly to NODE_DATA() without bounds checking. The result is a kernel paging fault triggered through the DAMON sysfs interface. The issue is reproducible using the damo user-space tool with a crafted --damos_quota_goal argument.
Critical Impact
A local user with access to the DAMON sysfs interface can trigger an out-of-bounds kernel memory access, causing a denial of service through kernel paging faults.
Affected Products
- Linux kernel versions containing the DAMON node_memcg_used_bp and node_memcg_free_bp quota goal metrics
- Systems exposing the DAMON sysfs interface (/sys/kernel/mm/damon/)
- Distributions shipping affected mainline and stable Linux kernel branches
Discovery Timeline
- 2026-05-27 - CVE-2026-46067 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-46067
Vulnerability Analysis
DAMON is the Linux kernel's Data Access Monitor framework used to observe memory access patterns and apply memory management actions. DAMON-based Operation Schemes (DAMOS) support quota goals that throttle actions based on metrics such as per-node memory cgroup usage. The damos_quota_goal structure accepts a nid field identifying the target NUMA node. The kernel uses this nid to look up node data via the NODE_DATA(nid) macro when computing the node_memcg_used_bp and node_memcg_free_bp ratios. Because the value originates from user space without sanitization, an attacker can supply an out-of-range or negative node identifier and force the kernel to dereference an invalid pglist_data pointer.
Root Cause
The root cause is missing input validation on a user-controlled field. DAMON core code accepted any nid value written through the sysfs DAMOS quota goal interface and used it as an index into kernel node data structures. No range check confirmed that nid fell within [0, MAX_NUMNODES) or that the corresponding NODE_DATA() entry was populated, yielding an out-of-bounds read [CWE-125].
Attack Vector
Exploitation requires local access and the ability to write to the DAMON sysfs interface, typically restricted to privileged users. The reproducer creates a cgroup, then starts DAMON with a node_memcg_used_bp quota goal set to an invalid node identifier such as -1. When the kernel evaluates the quota, it calls NODE_DATA() on the unvalidated value and faults at an invalid virtual address, producing a kernel oops in dmesg.
The upstream fix adds validation of the supplied node identifier. If the nid is invalid, the function returns 0% for the used memory ratio and 100% for the free memory ratio, preventing the out-of-bounds access. The patches are tracked in the kernel commit a34dac64 and kernel commit da10db73.
Detection Methods for CVE-2026-46067
Indicators of Compromise
- Kernel oops or paging fault messages in dmesg referencing DAMON code paths, for example Unable to handle kernel paging request at virtual address followed by stack frames in mm/damon/core.c.
- Unexpected writes to /sys/kernel/mm/damon/admin/kdamonds/*/contexts/*/schemes/*/quotas/goals/ containing unusual nid values.
- Presence of the damo user-space tool or scripts invoking DAMOS quota goals with node_memcg_used_bp or node_memcg_free_bp on non-administrator systems.
Detection Strategies
- Audit kernel logs for paging fault signatures originating in DAMON quota goal evaluation routines.
- Monitor process execution for invocations of damo start or direct writes to the DAMON sysfs hierarchy by non-root or unexpected accounts.
- Track loaded kernel versions across the fleet and flag hosts running unpatched builds that expose DAMON sysfs.
Monitoring Recommendations
- Forward kernel ring buffer events into centralized logging and alert on oops, BUG, or paging fault stack traces.
- Watch for crash dumps or kdump artifacts generated shortly after DAMON sysfs writes.
- Baseline legitimate DAMON usage so that anomalous nid values or new DAMOS schemes are surfaced for review.
How to Mitigate CVE-2026-46067
Immediate Actions Required
- Apply the upstream Linux kernel patches that add nid validation in mm/damon/core for node_memcg_used_bp and node_memcg_free_bp quota goals.
- Restrict access to the DAMON sysfs hierarchy to trusted administrators only and verify that unprivileged accounts cannot write to DAMOS goal files.
- Inventory hosts that load DAMON and prioritize patching kernels exposed to multi-tenant or interactive workloads.
Patch Information
The fix is committed upstream and is available in the stable trees. Reference kernel commit a34dac64 and kernel commit da10db73. Rebuild and deploy a kernel containing these commits, then reboot affected systems. Track distribution security advisories for backported builds covering long-term support branches.
Workarounds
- Disable the DAMON subsystem by building kernels without CONFIG_DAMON and CONFIG_DAMON_SYSFS where memory access monitoring is not required.
- Tighten file permissions on /sys/kernel/mm/damon/ so only root can write quota goal parameters, and remove the damo tool from systems where it is not needed.
- Use mandatory access control policies such as SELinux or AppArmor to deny write access to the DAMON sysfs interface for non-administrative roles.
# Configuration example: restrict DAMON sysfs access
chmod -R o-rwx /sys/kernel/mm/damon/
find /sys/kernel/mm/damon/ -type f -exec chmod g-w {} \;
# Verify running kernel includes the fix
uname -r
dmesg | grep -i damon
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
