CVE-2026-46190 Overview
CVE-2026-46190 is an out-of-bounds read vulnerability in the Linux kernel's mtd/spi-nor debugfs interface. The flaw resides in the spi_nor_params_show() function, which incorrectly calculates the size of the snor_f_names array using sizeof() instead of ARRAY_SIZE(). Because snor_f_names is an array of pointers, sizeof() returns the byte length of the pointer storage rather than the element count. On 64-bit systems, this inflates the supposed length by a factor of eight. When spi_nor_print_flags() uses this inflated value for bounds checking, it can read past the end of the array if a flag bit beyond the real element count is set.
Critical Impact
An out-of-bounds read in kernel space exposes adjacent memory contents through debugfs, potentially leaking sensitive kernel data to privileged readers.
Affected Products
- Linux kernel versions containing the mtd/spi-nor debugfs implementation
- Systems using SPI-NOR flash memory devices with debugfs enabled
- 64-bit Linux platforms where the pointer-size miscalculation is most pronounced
Discovery Timeline
- 2026-05-28 - CVE-2026-46190 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46190
Vulnerability Analysis
The vulnerability lives in the SPI-NOR flash subsystem's debugfs output path. The spi_nor_params_show() function dumps flash device parameters, including a set of capability flags translated into human-readable strings via the snor_f_names lookup array. The function passes sizeof(snor_f_names) to spi_nor_print_flags() as the bounds-check length.
Because snor_f_names is declared as an array of const char * pointers, sizeof() evaluates to element_count * sizeof(void *). On a 64-bit kernel, sizeof(void *) equals 8, so the value passed is eight times larger than the true element count. spi_nor_print_flags() uses this inflated value as the upper bound when indexing names[i] for each set flag bit.
If any flag bit position falls between the real element count and the inflated count, the lookup dereferences memory beyond the array boundary. The result is an out-of-bounds read [CWE-125] that returns whatever pointer-aligned data follows snor_f_names in kernel memory.
Root Cause
The root cause is a misuse of the sizeof() operator on an array of pointers. Kernel code should use the ARRAY_SIZE() macro to obtain element counts, which divides sizeof(array) by sizeof(array[0]). The fix replaces sizeof(snor_f_names) with ARRAY_SIZE(snor_f_names), restoring the correct element count for the bounds check.
Attack Vector
Exploitation requires local access with permission to read the relevant debugfs file under /sys/kernel/debug/spi-nor/. Debugfs is typically restricted to root, which limits the practical attack surface. A local privileged process triggering a read of the parameter file on a device whose flag set includes bits beyond the array length can induce the out-of-bounds read and observe leaked kernel memory in the resulting output.
No verified exploit code is publicly available for this issue. The fix is documented across multiple stable kernel commits referenced in the kernel.org commit logs.
Detection Methods for CVE-2026-46190
Indicators of Compromise
- Unexpected access patterns to /sys/kernel/debug/spi-nor/*/params from non-administrative processes
- KASAN (Kernel Address Sanitizer) reports flagging out-of-bounds reads inside spi_nor_print_flags()
- Anomalous string content appearing in debugfs SPI-NOR parameter output that does not match documented flag names
Detection Strategies
- Enable CONFIG_KASAN on test kernels to surface out-of-bounds reads in spi_nor_params_show() before production deployment
- Audit running kernel versions against the patched commits referenced in the stable kernel git history
- Compare installed kernel package versions to distribution security advisories tracking this fix
Monitoring Recommendations
- Monitor process access to debugfs paths, particularly /sys/kernel/debug/spi-nor/, and alert on reads by unexpected users
- Track kernel log entries for KASAN or slab corruption warnings tied to the mtd subsystem
- Inventory systems using SPI-NOR flash hardware to prioritize patching scope
How to Mitigate CVE-2026-46190
Immediate Actions Required
- Apply the upstream kernel patch that replaces sizeof(snor_f_names) with ARRAY_SIZE(snor_f_names) in spi_nor_params_show()
- Update to a stable Linux kernel release containing the fix from the referenced commits, including 34bdcfb496b29f9a52431194f94473b37fb8c162 and e47029b977e747cb3a9174308fd55762cce70147
- Restrict debugfs mount permissions so only administrative users can read SPI-NOR parameter files
Patch Information
The fix is committed to the upstream Linux kernel and backported to multiple stable branches. Refer to the kernel.org stable commit and the additional backport for the exact changes. Distribution vendors publish corresponding kernel updates through their standard channels.
Workarounds
- Unmount or restrict access to debugfs by mounting it with mode=0700 and uid=0,gid=0 until patched kernels are deployed
- Disable CONFIG_DEBUG_FS in kernel builds where debugfs is not required for operations
- Limit SPI-NOR debugfs file permissions via udev or systemd-tmpfiles rules where the kernel cannot be immediately updated
# Restrict debugfs access to root only
mount -o remount,mode=0700 /sys/kernel/debug
# Verify current kernel version against patched releases
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
