CVE-2026-46289 Overview
CVE-2026-46289 is a Linux kernel vulnerability in the lib/scatterlist subsystem, specifically affecting the extract_kvec_to_sg function. The flaw involves incorrect length calculations when extracting from a kernel vector (kvec) to a scatterlist, allowing scatterlist entry lengths to exceed the number of bytes in the underlying page. The vulnerability was introduced in Linux kernel v6.3, where the affected function originally resided in fs/netfs/iterator.c, and was later relocated to lib/scatterlist.c in v6.5. The fix is targeted for backports to v6.5 and later kernel releases.
Critical Impact
Incorrect scatterlist length calculations can cross page boundaries, potentially causing memory corruption or out-of-bounds access in kernel subsystems that consume scatterlists generated from kvec iterators.
Affected Products
- Linux kernel versions 6.3 and later (function originally in fs/netfs/iterator.c)
- Linux kernel versions 6.5 and later (function relocated to lib/scatterlist.c)
- Distributions shipping affected upstream kernel versions
Discovery Timeline
- 2026-06-08 - CVE-2026-46289 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-46289
Vulnerability Analysis
The vulnerability resides in extract_kvec_to_sg, a helper used by extract_iter_to_sg() to convert kernel vector iterators into scatterlist (sglist) entries. Scatterlists describe physically discontiguous memory in terms of page, offset, and length tuples. They are consumed by direct memory access (DMA), crypto, and networking subsystems.
When extracting from a kvec, the function failed to honor page boundaries. The required per-entry length was computed but not used to constrain the size of each scatterlist entry. As a result, a single sglist entry could describe a region longer than the page it points to.
A second related defect concerns the user-buffer variant: the sglist was temporarily reused as a scratch buffer for extracted page pointers. When the sglist already contained entries, this scratch usage could overlap and corrupt existing entries.
Root Cause
The root cause is a missing bound check in the kvec extraction loop. The computed per-segment length, which represents the bytes remaining within the current page, was discarded rather than applied to the scatterlist entry. The function also failed to adjust the copied length when the loop exhausted available sglist entries before fully consuming the iterator. An early return for the zero-entry case was also missing.
Attack Vector
Exploitation requires the ability to trigger kernel code paths that invoke extract_iter_to_sg() with attacker-influenced kvec or user iterator inputs. Such paths exist in networking, file system, and crypto operations that route data through scatterlist-based interfaces. A local attacker who can shape iterator inputs could induce out-of-bounds memory references through downstream consumers of the malformed scatterlist. The vulnerability is a kernel-side memory safety issue rather than a remotely triggerable flaw with a known public exploit. The patches add kunit test cases in the kunit_iov_iter suite that demonstrate the buggy behavior.
No verified public exploit code is available. Refer to the upstream commits for the precise code-level fix.
Detection Methods for CVE-2026-46289
Indicators of Compromise
- Kernel oops, BUG, or KASAN reports referencing extract_kvec_to_sg, extract_iter_to_sg, or lib/scatterlist.c
- Out-of-bounds read or write warnings in subsystems that consume scatterlists, including network, filesystem, or crypto stacks
- Unexpected DMA mapping failures or memory corruption symptoms correlated with iov_iter operations
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) on test and staging kernels to surface out-of-bounds accesses in scatterlist consumers
- Run the upstream kunit_iov_iter test cases introduced alongside the patch series to verify whether a running kernel is affected
- Inventory running kernel versions and flag any in the 6.3 through pre-patch 6.5+ range that have not received the fix
Monitoring Recommendations
- Monitor dmesg and journald output for KASAN, slab corruption, and page boundary violation messages on Linux hosts
- Collect kernel version telemetry from endpoints and servers to identify systems still running unpatched kernels
- Track stable tree backport advisories from your Linux distribution vendor for the commits referenced below
How to Mitigate CVE-2026-46289
Immediate Actions Required
- Identify all systems running Linux kernel v6.3 or later and prioritize those on long-lived 6.5+ stable branches
- Apply distribution-provided kernel updates that include the upstream commits listed in the patch references
- Schedule reboots for hosts after kernel package upgrades to ensure the patched code path is active
Patch Information
Upstream fixes are available in the following kernel commits: 07b7d66, 3f17500, 8fbba68, 9d38756, and e5e22fc. The fix constrains per-entry length to page boundaries, adjusts the copied length when sglist entries are exhausted, and adds an early return when no sglist entries are provided. Backports are marked for v6.5 and later stable kernels.
Workarounds
- No vendor-published workaround exists; applying the upstream patch series is the supported remediation
- Limit local untrusted code execution on affected hosts until kernels are updated
- Where feasible, deploy kernels built with KASAN enabled in non-production environments to detect related memory safety regressions early
# Verify running kernel version and check for the patched commit
uname -r
# Debian/Ubuntu: update and install latest kernel
sudo apt update && sudo apt install --only-upgrade linux-image-generic
# RHEL/Fedora: update kernel package
sudo dnf update kernel
# Reboot to activate the patched kernel
sudo systemctl reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
