HOMEVULNERABILITIESCVE-2026-46023
NONE

CVE-2026-46023

Published: May 27, 2026· Updated: Jun 1, 2026

Official Description

In the Linux kernel, the following vulnerability has been resolved:

dm mirror: fix integer overflow in create_dirty_log()

The argument count calculation in create_dirty_log() performs

`*args_used = 2 + param_count` before validating against argc. When a

user provides a param_count close to UINT_MAX via the device mapper

table string, this unsigned addition wraps around to a small value,

causing the subsequent `argc < *args_used` check to be bypassed.

The overflowed param_count is then passed as argc to dm_dirty_log_create(),

where it can cause out-of-bounds reads on the argv array.

Fix by comparing param_count against argc - 2 before performing the

addition, following the same pattern used by parse_features() in the

same file. Since argc >= 2 is already guaranteed, the subtraction is

safe.

NVD Source

Technical Analysis

CVE-2026-46023 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2026-46023
SeverityNONE
CISA KEVNo
PublishedMay 27, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-46023 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.