HIGHCVE-2026-46006Published Modified CNA Linux
CVE-2026-46006: drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix u32 overflow in pushbuf reloc bounds check nouveau_gem_pushbuf_reloc_apply() validates each relocation with if (r->reloc_bo_offset + 4 > nvbo->bo.base.size) but reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer literal 4 promotes to unsigned int, so the addition is performed in 32 bits and wraps before the comparison against the size_t bo size. Cast to u64 so the addition happens in 64-bit arithmetic. [ Add Fixes: tag. - Danilo ]
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
Fix available
02fc87d37be1b730a149b035f9375fdb8cc5333a5332884f5eb79dd60a7162b079d09d39208567a316.6.1406.12.866.18.277.0.47.1-rc1d749a9a0ee4014681487e7ae549901aa8c176637e441d5c23ec644c8d27593db3b8928e8933512a9fa297e919d1680c38ab268ff952b1698dac987f6
Affected packages
- Linux / Linux< fa297e919d1680c38ab268ff952b1698dac987f6 (from a1606a9596e54da90ad6209071b357a4c1b0fa82) · < d749a9a0ee4014681487e7ae549901aa8c176637 (from a1606a9596e54da90ad6209071b357a4c1b0fa82) · < 332884f5eb79dd60a7162b079d09d39208567a31 (from a1606a9596e54da90ad6209071b357a4c1b0fa82) · < e441d5c23ec644c8d27593db3b8928e8933512a9 (from a1606a9596e54da90ad6209071b357a4c1b0fa82) · < 2fc87d37be1b730a149b035f9375fdb8cc5333a5 (from a1606a9596e54da90ad6209071b357a4c1b0fa82)
- Linux / Linux2.6.34Fixed in 0, 6.6.140, 6.12.86, 6.18.27, 7.0.4, 7.1-rc1
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H