U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2026-53059

Change History

New CVE Received from kernel.org 6/24/2026 1:17:18 PM

Action Type Old Value New Value
Added Description

                  
                
              
In the Linux kernel, the following vulnerability has been resolved:

dm log: fix out-of-bounds write due to region_count overflow

The local variable region_count in create_log_context() is declared as
unsigned int (32-bit), but dm_sector_div_up() returns sector_t (64-bit).
When a device-mapper target has a sufficiently large ti->len with a small
region_size, the division result can exceed UINT_MAX. The truncated
value is then used to calculate bitset_size, causing clean_bits,
sync_bits, and recovering_bits to be allocated far smaller than needed
for the actual number of regions.

Subsequent log operations (log_set_bit, log_clear_bit, log_test_bit) use
region indices derived from the full untruncated region space, causing
out-of-bounds writes to kernel heap memory allocated by vmalloc.

This can be reproduced by creating a mirror target whose region_count
overflows 32 bits:

  dmsetup create bigzero --table '0 8589934594 zero'
  dmsetup create mymirror --table '0 8589934594 mirror \
    core 2 2 nosync 2 /dev/mapper/bigzero 0 \
    /dev/mapper/bigzero 0'

The status output confirms the truncation (sync_count=1 instead of
4294967297, because 0x100000001 was truncated to 1):

  $ dmsetup status mymirror
  0 8589934594 mirror 2 254:1 254:1 1/4294967297 ...

This leads to a kernel crash in core_in_sync:

  BUG: scheduling while atomic: (udev-worker)/9150/0x00000000
  RIP: 0010:core_in_sync+0x14/0x30 [dm_log]
  CR2: 0000000000000008
  Fixing recursive fault but reboot is needed!

Fix by widening the local region_count to sector_t and adding an
explicit overflow check before the value is assigned to lc->region_count.
Added Reference

                  
                
              
https://git.kernel.org/stable/c/12bd5b88e91a02785244ff1d20fb157e96e9cdc8
Added Reference

                  
                
              
https://git.kernel.org/stable/c/3ec74da927b4e171a6fc0e77b1188ba4d019af51
Added Reference

                  
                
              
https://git.kernel.org/stable/c/44ab8875ae4a2842bde2d756bed195d375e0debb
Added Reference

                  
                
              
https://git.kernel.org/stable/c/4ec8323b9f0764a14d532b1ae9b87f8a9fecb867
Added Reference

                  
                
              
https://git.kernel.org/stable/c/b455903eed4558982be0811f5b7f44f6bbc4ff57
Added Reference

                  
                
              
https://git.kernel.org/stable/c/c20e36b7631d83e7535877f08af8b0af72c44b1a
Added Reference

                  
                
              
https://git.kernel.org/stable/c/d4ac87567f86a55c3c92e9a5144dcd943a9772a1
Added Reference

                  
                
              
https://git.kernel.org/stable/c/defe483e47173768c227532694dc78cb65db5f09
Added Affected

                  
                
              
[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/md/dm-log.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"44ab8875ae4a2842bde2d756bed195d375e0debb","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"defe483e47173768c227532694dc78cb65db5f09","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"3ec74da927b4e171a6fc0e77b1188ba4d019af51","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"d4ac87567f86a55c3c92e9a5144dcd943a9772a1","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"12bd5b88e91a02785244ff1d20fb157e96e9cdc8","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"b455903eed4558982be0811f5b7f44f6bbc4ff57","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"4ec8323b9f0764a14d532b1ae9b87f8a9fecb867","versionType":"git","status":"affected"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"c20e36b7631d83e7535877f08af8b0af72c44b1a","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/md/dm-log.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.12","status":"affected"},{"version":"0","lessThan":"2.6.12","versionType":"semver","status":"unaffected"},{"version":"5.10.258","lessThanOrEqual":"5.10.*","versionType":"semver","status":"unaffected"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.141","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]