HOMEVULNERABILITIESCVE-2026-45990
NONE

CVE-2026-45990

Published: May 27, 2026· Updated: May 27, 2026

Official Description

In the Linux kernel, the following vulnerability has been resolved:

slub: fix data loss and overflow in krealloc()

Commit 2cd8231796b5 ("mm/slub: allow to set node and align in

k[v]realloc") introduced the ability to force a reallocation if the

original object does not satisfy new alignment or NUMA node, even when

the object is being shrunk.

This introduced two bugs in the reallocation fallback path:

1. Data loss during NUMA migration: The jump to 'alloc_new' happens

before 'ks' and 'orig_size' are initialized. As a result, the

memcpy() in the 'alloc_new' block would copy 0 bytes into the new

allocation.

2. Buffer overflow during shrinking: When shrinking an object while

forcing a new alignment, 'new_size' is smaller than the old size.

However, the memcpy() used the old size ('orig_size ?: ks'), leading

to an out-of-bounds write.

The same overflow bug exists in the kvrealloc() fallback path, where the

old bucket size ksize(p) is copied into the new buffer without being

bounded by the new size.

A simple reproducer:

// e.g. add to lkdtm as KREALLOC_SHRINK_OVERFLOW

while (1) {

void *p = kmalloc(128, GFP_KERNEL);

p = krealloc_node_align(p, 64, 256, GFP_KERNEL, NUMA_NO_NODE);

kfree(p);

}

demonstrates the issue:

==================================================================

BUG: KFENCE: out-of-bounds write in memcpy_orig+0x68/0x130

Out-of-bounds write at 0xffff8883ad757038 (120B right of kfence-#47):

memcpy_orig+0x68/0x130

krealloc_node_align_noprof+0x1c8/0x340

lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm]

lkdtm_do_action+0x3a/0x60 [lkdtm]

...

kfence-#47: 0xffff8883ad756fc0-0xffff8883ad756fff, size=64, cache=kmalloc-64

allocated by task 316 on cpu 7 at 97.680481s (0.021813s ago):

krealloc_node_align_noprof+0x19c/0x340

lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm]

lkdtm_do_action+0x3a/0x60 [lkdtm]

...

==================================================================

Fix it by moving the old size calculation to the top of __do_krealloc()

and bounding all copy lengths by the new allocation size.

NVD Source

Technical Analysis

CVE-2026-45990 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (3)

Quick Facts

CVE IDCVE-2026-45990
SeverityNONE
CISA KEVNo
PublishedMay 27, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-45990 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.