{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23474", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.022Z", "datePublished": "2026-04-03T15:15:53.406Z", "dateUpdated": "2026-04-03T15:15:53.406Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:15:53.406Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: Avoid boot crash in RedBoot partition table parser\n\nGiven CONFIG_FORTIFY_SOURCE=y and a recent compiler,\ncommit 439a1bcac648 (\"fortify: Use __builtin_dynamic_object_size() when\navailable\") produces the warning below and an oops.\n\n Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000\n ------------[ cut here ]------------\n WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1\n memcmp: detected buffer overflow: 15 byte read of buffer size 14\n Modules linked in:\n CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE\n\nAs Kees said, \"'names' is pointing to the final 'namelen' many bytes\nof the allocation ... 'namelen' could be basically any length at all.\nThis fortify warning looks legit to me -- this code used to be reading\nbeyond the end of the allocation.\"\n\nSince the size of the dynamic allocation is calculated with strlen()\nwe can use strcmp() instead of memcmp() and remain within bounds."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/mtd/parsers/redboot.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "0b08be5aca212a99f8ba786fee4922feac08002c", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "d8570211a2b1ec886a462daa0be4e9983ac768bb", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "2025b2d1f9d5cad6ea6fe85654c6c41297c3130b", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "c4054ad2d8bff4e8e937cd4a1d1a04c1e8f77a2c", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "75a4d8cfe7784f909b3bd69325abac8e04ecb385", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "8e2f8020270af7777d49c2e7132260983e4fc566", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/mtd/parsers/redboot.c"], "versions": [{"version": "2.6.12", "status": "affected"}, {"version": "0", "lessThan": "2.6.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0b08be5aca212a99f8ba786fee4922feac08002c"}, {"url": "https://git.kernel.org/stable/c/d8570211a2b1ec886a462daa0be4e9983ac768bb"}, {"url": "https://git.kernel.org/stable/c/2025b2d1f9d5cad6ea6fe85654c6c41297c3130b"}, {"url": "https://git.kernel.org/stable/c/c4054ad2d8bff4e8e937cd4a1d1a04c1e8f77a2c"}, {"url": "https://git.kernel.org/stable/c/75a4d8cfe7784f909b3bd69325abac8e04ecb385"}, {"url": "https://git.kernel.org/stable/c/8e2f8020270af7777d49c2e7132260983e4fc566"}], "title": "mtd: Avoid boot crash in RedBoot partition table parser", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: Avoid boot crash in RedBoot partition table parser\n\nGiven CONFIG_FORTIFY_SOURCE=y and a recent compiler,\ncommit 439a1bcac648 (\"fortify: Use __builtin_dynamic_object_size() when\navailable\") produces the warning below and an oops.\n\n Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000\n ------------[ cut here ]------------\n WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1\n memcmp: detected buffer overflow: 15 byte read of buffer size 14\n Modules linked in:\n CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE\n\nAs Kees said, \"'names' is pointing to the final 'namelen' many bytes\nof the allocation ... 'namelen' could be basically any length at all.\nThis fortify warning looks legit to me -- this code used to be reading\nbeyond the end of the allocation.\"\n\nSince the size of the dynamic allocation is calculated with strlen()\nwe can use strcmp() instead of memcmp() and remain within bounds."}], "id": "CVE-2026-23474", "lastModified": "2026-04-03T16:16:35.260", "metrics": {}, "published": "2026-04-03T16:16:35.260", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0b08be5aca212a99f8ba786fee4922feac08002c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2025b2d1f9d5cad6ea6fe85654c6c41297c3130b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/75a4d8cfe7784f909b3bd69325abac8e04ecb385"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8e2f8020270af7777d49c2e7132260983e4fc566"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c4054ad2d8bff4e8e937cd4a1d1a04c1e8f77a2c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d8570211a2b1ec886a462daa0be4e9983ac768bb"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,0b08be5aca212a99f8ba786fee4922feac08002c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,2025b2d1f9d5cad6ea6fe85654c6c41297c3130b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,75a4d8cfe7784f909b3bd69325abac8e04ecb385)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,8e2f8020270af7777d49c2e7132260983e4fc566)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,c4054ad2d8bff4e8e937cd4a1d1a04c1e8f77a2c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,75a4d8cfe7784f909b3bd69325abac8e04ecb385)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,8e2f8020270af7777d49c2e7132260983e4fc566)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.12"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.12)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T18:40:01.317756+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that incorporates commit 439a1bc, which replaces the unsafe memcmp with a bounded string comparison.", "If an immediate kernel upgrade is not possible, disable CONFIG_FORTIFY_SOURCE for the kernel build, or ensure that no unsafe partition table is loaded during boot.", "Verify that any custom firmware or bootloader does not provide malformed RedBoot metadata that could trigger the overflow."], "summary": {"action": "Patch", "impact": "Buffer overflow leading to kernel panic during boot"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Linux kernel builds that include RedBoot support and enable CONFIG_FORTIFY_SOURCE. The exact kernel release is not specified, but any active kernel incorporating the vulnerable code path is at risk until the fix is integrated. No version numbers are provided; the fix is contained in commit 439a1bc as part of the kernel next cycle.", "description_and_impact": "A flaw in the Linux kernel's MTD RedBoot partition table parser can cause a buffer overflow when the kernel runs the comparison routine guarded by CONFIG_FORTIFY_SOURCE. The overflow occurs because a dynamic allocation\u2019s size is incorrectly calculated using strlen, resulting in a memcmp that reads beyond the allocated memory. The immediate consequence is a kernel panic and system boot failure. The description does not indicate that arbitrary code can be executed; instead the primary impact is denial of service in the boot process. The weakness is a classic buffer overflow in kernel space.", "risk_and_exploitability": "The CVSS and EPSS data are unavailable, and the vulnerability is not listed in the CISA KEV catalog, indicating relatively low known exploitation activity. Exploitation would require control over the boot process or a malicious RedBoot partition table, and thus is limited to local or compromised devices. Nevertheless, the potential for a local attacker to render a system unbootable presents a moderate to high risk for affected installations, especially in environments where boot integrity is critical."}}}}, "created": "2026-04-03T21:13:24.949380+00:00", "updated": "2026-04-03T21:15:40.081927+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-119"]}