PT-2026-46016 · Linux · Linux

Published

2026-06-03

·

Updated

2026-06-03

·

CVE-2026-46253

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
pstore/ram: fix buffer overflow in persistent ram save old()
persistent ram save old() can be called multiple times for the same persistent ram zone (e.g., via ramoops pstore read -> ramoops get next prz for PSTORE TYPE DMESG records).
Currently, the function only allocates prz->old log when it is NULL, but it unconditionally updates prz->old log size to the current buffer size and then performs memcpy fromio() using this new size. If the buffer size has grown since the first allocation (which can happen across different kernel boot cycles), this leads to:
  1. A heap buffer overflow (OOB write) in the memcpy fromio() calls
  2. A subsequent OOB read when ramoops pstore read() accesses the buffer using the incorrect (larger) old log size
The KASAN splat would look similar to: BUG: KASAN: slab-out-of-bounds in ramoops pstore read+0x... Read of size N at addr ... by task ...
The conditions are likely extremely hard to hit:
  1. Crash with a ramoops write of less-than-record-max-size bytes.
  2. Reboot: ramoops registers, pstore get records(0) reads old crash, allocates old log with size X
  3. Crash handler registered, timer started (if pstore update ms >= 0)
  4. Oops happens (non-fatal, system continues)
  5. pstore dump() writes oops via ramoops pstore write() size Y (>X)
  6. pstore new entry = 1, pstore timer kick() called
  7. System continues running (not a panic oops)
  8. Timer fires after pstore update ms milliseconds
  9. pstore timefunc() → schedule work() → pstore dowork() → pstore get records(1)
  10. ramoops get next prz() → persistent ram save old()
  11. buffer size() returns Y, but old log is X bytes
  12. Y > X: memcpy fromio() overflows heap
Requirements:
  • a prior crash record exists that did not fill the record size (almost impossible since the crash handler writes as much as it can possibly fit into the record, capped by max record size and the kmsg buffer almost always exceeds the max record size)
  • pstore update ms >= 0 (disabled by default)
  • Non-fatal oops (system survives)
Free and reallocate the buffer when the new size differs from the previously allocated size. This ensures old log always has sufficient space for the data being copied.

Related Identifiers

CVE-2026-46253

Affected Products

Linux