CVE-2026-46006
published 2026-05-27CVE-2026-46006: In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix u32 overflow in pushbuf reloc bounds check…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
nouveau_gem_pushbuf_reloc_apply() validates each relocation with
if (r->reloc_bo_offset + 4 > nvbo->bo.base.size)
but reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer
literal 4 promotes to unsigned int, so the addition is performed in 32
bits and wraps before the comparison against the size_t bo size.
Cast to u64 so the addition happens in 64-bit arithmetic.
[ Add Fixes: tag. - Danilo ]
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux | — | — |
| linux | linux | >= a1606a9596e54da90ad6209071b357a4c1b0fa82 < 573a1104bd36e49c067a9dc62e7c476d5ee7e92a | 573a1104bd36e49c067a9dc62e7c476d5ee7e92a |
| linux | linux | >= a1606a9596e54da90ad6209071b357a4c1b0fa82 < 45a45184b9c0b0b26ead06e370cda2073616a7cc | 45a45184b9c0b0b26ead06e370cda2073616a7cc |
| linux | linux | >= a1606a9596e54da90ad6209071b357a4c1b0fa82 < fa297e919d1680c38ab268ff952b1698dac987f6 | fa297e919d1680c38ab268ff952b1698dac987f6 |
| linux | linux | >= a1606a9596e54da90ad6209071b357a4c1b0fa82 < d749a9a0ee4014681487e7ae549901aa8c176637 | d749a9a0ee4014681487e7ae549901aa8c176637 |
| linux | linux | >= a1606a9596e54da90ad6209071b357a4c1b0fa82 < 332884f5eb79dd60a7162b079d09d39208567a31 | 332884f5eb79dd60a7162b079d09d39208567a31 |
| linux | linux | >= a1606a9596e54da90ad6209071b357a4c1b0fa82 < e441d5c23ec644c8d27593db3b8928e8933512a9 | e441d5c23ec644c8d27593db3b8928e8933512a9 |
| linux | linux | >= a1606a9596e54da90ad6209071b357a4c1b0fa82 < 2fc87d37be1b730a149b035f9375fdb8cc5333a5 | 2fc87d37be1b730a149b035f9375fdb8cc5333a5 |
| linux | linux_kernel | — | — |