CVE-2026-23474
5.5 MEDIUMIn the Linux kernel, the following vulnerability has been resolved: mtd: Avoid boot crash in RedBoot partition table parser Given CONFI...
Published: 2026-04-03 · Last updated: 2026-05-26
Severity and scoring
- CVSS
- 5.5 MEDIUM
- Vector
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected products
| Vendor | Product |
|---|---|
| linux | linux_kernel |
Description
In the Linux kernel, the following vulnerability has been resolved: mtd: Avoid boot crash in RedBoot partition table parser Given CONFIG_FORTIFY_SOURCE=y and a recent compiler, commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when available") produces the warning below and an oops. Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000 ------------[ cut here ]------------ WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1 memcmp: detected buffer overflow: 15 byte read of buffer size 14 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE As Kees said, "'names' is pointing to the final 'namelen' many bytes of the allocation ... 'namelen' could be basically any length at all. This fortify warning looks legit to me -- this code used to be reading beyond the end of the allocation." Since the size of the dynamic allocation is calculated with strlen() we can use strcmp() instead of memcmp() and remain within bounds.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-23474
- [Patch]https://git.kernel.org/stable/c/0b08be5aca212a99f8ba786fee4922feac08002c
- [Patch]https://git.kernel.org/stable/c/2025b2d1f9d5cad6ea6fe85654c6c41297c3130b
- [Patch]https://git.kernel.org/stable/c/75a4d8cfe7784f909b3bd69325abac8e04ecb385
- [Patch]https://git.kernel.org/stable/c/8e2f8020270af7777d49c2e7132260983e4fc566
- [Patch]https://git.kernel.org/stable/c/c4054ad2d8bff4e8e937cd4a1d1a04c1e8f77a2c
- [Patch]https://git.kernel.org/stable/c/ca235d11fc2fd8fce1dcd9d732dc780be0cde2de
- [Patch]https://git.kernel.org/stable/c/d8570211a2b1ec886a462daa0be4e9983ac768bb
- [Patch]https://git.kernel.org/stable/c/e0065e106f798ce6862251bc4fc030ac5cead940
Related CVEs
Same vendor
- CVE-2026-46273 — In the Linux kernel, the following vulnerability has been resolved: ibmveth: Disable GSO for packets with small MSS Some physical adapt... (8.6 HIGH)
- CVE-2026-46272 — In the Linux kernel, the following vulnerability has been resolved: coresight: tmc-etr: Fix race condition between sysfs and perf mode ... (4.7 MEDIUM)
- CVE-2026-46271 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: do WoW offloads only on primary link In case of multi... (7.8 HIGH)
- CVE-2026-46270 — In the Linux kernel, the following vulnerability has been resolved: power: supply: rt9455: Fix use-after-free in power_supply_changed() ... (8.4 HIGH)
- CVE-2026-46269 — In the Linux kernel, the following vulnerability has been resolved: pinctrl: canaan: k230: Fix NULL pointer dereference when parsing dev... (5.5 MEDIUM)