CVE-2026-46130 Overview
CVE-2026-46130 is an out-of-bounds read vulnerability in the Linux kernel's dm-verity-fec forward error correction subsystem. The flaw resides in the fec_decode_bufs() function, which incorrectly assumes that the parity bytes of the first Reed-Solomon (RS) codeword it decodes never span multiple parity blocks. When specific non-default fec_roots values are combined with constrained buffer allocation, the function reads beyond the bounds of the parity block buffer. The issue affects systems using dm-verity with FEC enabled and has been resolved upstream through a refactor of how parity blocks are read.
Critical Impact
Out-of-bounds memory read in the kernel's dm-verity FEC path that can be triggered when specific fec_roots and buffer allocation conditions are met, potentially exposing kernel memory contents or destabilizing verified storage operations.
Affected Products
- Linux kernel versions containing the dm-verity-fec module prior to the upstream fix
- Distributions and devices using dm-verity with forward error correction enabled
- Systems configured with non-default fec_roots values (17, 19, 21, 23)
Discovery Timeline
- 2026-05-28 - CVE-2026-46130 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46130
Vulnerability Analysis
The vulnerability exists in the Linux device-mapper verity FEC code path. fec_decode_bufs() processes Reed-Solomon codewords using parity bytes laid out across one or more parity blocks. The function assumes the parity bytes of the first codeword in a decode call always begin within a single block. This assumption breaks for several valid configurations of fec_roots and nbufs.
For v->fec->block_size == 4096, v->fec->roots == 17, and fio->nbufs == 1, each invocation of fec_decode_bufs() consumes 272 parity bytes (v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS)). Because each message block's parity data begins on a block boundary, byte alignment iterates through 272*i mod 4096. On the 16th iteration (i=15), the alignment lands 4080 bytes into the first parity block, leaving only 16 bytes available while the code attempts to read 17 parity bytes.
Root Cause
The root cause is an unchecked alignment assumption in the parity reading logic. The code does not account for RS codeword parity bytes split across block boundaries, leading to an out-of-bounds read past the end of the in-memory parity block buffer.
Attack Vector
Triggering the condition requires a dm-verity device configured with FEC and specific non-default values of fec_roots, combined with low-memory situations where the maximum number of FEC buffers could not be allocated. Affected combinations with block_size=4096 include: fec_roots=17 with nbufs in [1, 3, 5, 15]; fec_roots=19 with nbufs in [1, 229]; fec_roots=21 with nbufs in [1, 3, 5, 13, 15, 39, 65, 195]; and fec_roots=23 with nbufs in [1, 89]. The defect manifests during normal verified read operations on a corrupted block that requires FEC repair.
The vulnerability is described in prose only. See the upstream commits Kernel Git Commit 3d1b4e2 and Kernel Git Commit 430a05c for the corrective patch.
Detection Methods for CVE-2026-46130
Indicators of Compromise
- Unexpected kernel warnings or KASAN reports referencing fec_decode_bufs or dm-verity-fec call paths
- I/O errors or verity failures correlated with low-memory conditions on devices using FEC
- Use of non-default fec_roots values (17, 19, 21, 23) in dm-verity device tables
Detection Strategies
- Audit running kernel versions against vendor advisories and confirm whether the upstream dm-verity-fec fix is applied
- Inspect device-mapper table configurations for verity targets and capture the fec_roots parameter
- Enable KASAN on test kernels to surface out-of-bounds reads in the FEC decode path during fuzzing or QA
Monitoring Recommendations
- Forward dmesg and kernel audit logs to a centralized log store and alert on dm-verity or device-mapper errors
- Track memory pressure events that could force reduced nbufs allocation in the FEC code path
- Monitor patch deployment status across Linux fleets to confirm uptake of the corrective kernel update
How to Mitigate CVE-2026-46130
Immediate Actions Required
- Update Linux kernels to a version containing the upstream dm-verity-fec parity reading fix
- Inventory systems using dm-verity with FEC and document their fec_roots configuration
- Prioritize patching on Android devices, embedded systems, and verified-boot deployments where dm-verity-fec is in active use
Patch Information
The fix refactors how parity blocks are read so the code correctly handles RS codeword parity bytes that span block boundaries. Apply the upstream commits referenced in Kernel Git Commit 3d1b4e2 and Kernel Git Commit 430a05c, or install the corresponding distribution kernel update.
Workarounds
- Where feasible, avoid non-default fec_roots values (17, 19, 21, 23) until the patched kernel is deployed
- Reduce exposure to low-memory conditions that force reduced FEC buffer allocation on affected hosts
- Restrict local access on systems running unpatched kernels with dm-verity-fec enabled
# Check running kernel version and dm-verity table parameters
uname -r
sudo dmsetup table --target verity
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
