CVE-2026-46253

HIGHPre-NVD 7.87.8
EchelonGraph scoreMEDIUM confidence

Score 7.8 from GitHub Security Advisory (severity: HIGH) published 2026-06-03. a secondary CVSS source baseline 7.8; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, secondary
7.8
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.8Exploit: NoneExposed: 0

A fix is available — apply it.

In the Linux kernel, the following vulnerability has been resolved:

pstore/ram: fix buffer overflow in persistent_ram_save_old()

persistent_ram_save_old() can be called multiple times for the same persistent_ram_zone (e.g., via ramoops_pstore_read -> ramoops_get_next_prz for PSTORE_TYPE_DMESG records).

Currently, the function only allocates prz->old_log when it is NULL, but it unconditionally updates prz->old_log_size to the current buffer size and then performs memcpy_fromio() using this new size. If the buffer size has grown since the first allocation (which can happen across different kernel boot cycles), this leads to:

  • A heap buffer overflow (OOB write) in the memcpy_fromio() calls
  • A subsequent OOB read when ramoops_pstore_read() accesses the buffer
using the incorrect (larger) old_log_size

The KASAN splat would look similar to: BUG: KASAN: slab-out-of-bounds in ramoops_pstore_read+0x... Read of size N at addr ... by task ...

The conditions are likely extremely hard to hit:

  • Crash with a ramoops write of less-than-record-max-size bytes.
  • Reboot: ramoops registers, pstore_get_records(0) reads old crash,
allocates old_log with size X
  • Crash handler registered, timer started (if pstore_update_ms >= 0)
  • Oops happens (non-fatal, system continues)
  • pstore_dump() writes oops via ramoops_pstore_write() size Y (>X)
  • pstore_new_entry = 1, pstore_timer_kick() called
  • System continues running (not a panic oops)
  • Timer fires after pstore_update_ms milliseconds
  • pstore_timefunc() → schedule_work() → pstore_dowork() → pstore_get_records(1)
  • ramoops_get_next_prz() → persistent_ram_save_old()
  • buffer_size() returns Y, but old_log is X bytes
  • Y > X: memcpy_fromio() overflows heap

Requirements:

  • a prior crash record exists that did not fill the record size
(almost impossible since the crash handler writes as much as it can possibly fit into the record, capped by max record size and the kmsg buffer almost always exceeds the max record size)
  • pstore_update_ms >= 0 (disabled by default)
  • Non-fatal oops (system survives)

Free and reallocate the buffer when the new size differs from the previously allocated size. This ensures old_log always has sufficient space for the data being copied.

CVSS v3
7.8
EG Score
7.8(medium)
EPSS
3.4%
KEV
Not listed

Published

June 3, 2026

Last Modified

June 9, 2026

Advisory Details (8)

Auto-updated Jun 5, 2026
No patch confirmed yet.
generic

pstore/ram: fix buffer overflow in persistent_ram_save_old() - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/cff0ef043e16feb5a02307c8f9d0117a96c5587c
generic

pstore/ram: fix buffer overflow in persistent_ram_save_old() - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/9a6fc69a570c0780834246d52c856cc3dbc2605f
generic

pstore/ram: fix buffer overflow in persistent_ram_save_old() - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/7cfe964e61c0ab667abd5f5b68e0acbf783efa4f
generic

pstore/ram: fix buffer overflow in persistent_ram_save_old() - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/58bda5a1d1ee98254383ef34f76b2c35140513ea
generic

pstore/ram: fix buffer overflow in persistent_ram_save_old() - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/5669645c052f235726a85f443769b6fc02f66762
generic

pstore/ram: fix buffer overflow in persistent_ram_save_old() - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/4f73486ca822305c1cf5b8ebc0b53a6ab3801a81
generic

pstore/ram: fix buffer overflow in persistent_ram_save_old() - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/2fa9a047c6a50ec80c3890dd623b85e237f0d1fd
generic

pstore/ram: fix buffer overflow in persistent_ram_save_old() - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/06d2c8bd108cea503f6f6e13e47495ed1085275f

Vendor Advisories for CVE-2026-46253(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

All Vendor Advisories

(8)

Data Freshness Timeline

(refreshed 19× in last 7d / 109× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

Showing the most recent 100 of 165 total refreshes for this CVE.

  1. 2026-07-15 16:57 UTCEPSS rescore
  2. 2026-07-15 02:00 UTCEPSS rescore
  3. 2026-07-14 16:36 UTCEG score recompute
  4. 2026-07-14 16:36 UTCGHSA enrichment
  5. 2026-07-14 03:30 UTCEG score recompute
  6. 2026-07-14 03:30 UTCGHSA enrichment
  7. 2026-07-13 22:30 UTCEPSS rescore
  8. 2026-07-13 06:13 UTCEPSS rescore
  9. 2026-07-12 05:46 UTCEPSS rescore
  10. 2026-07-12 00:39 UTCEG score recompute
  11. 2026-07-12 00:39 UTCVendor advisory
  12. 2026-07-12 00:38 UTCGHSA enrichment
  13. 2026-07-11 12:41 UTCEG score recompute
  14. 2026-07-11 12:41 UTCVendor advisory
  15. 2026-07-11 12:41 UTCGHSA enrichment
  16. 2026-07-11 08:27 UTCEPSS rescore
  17. 2026-07-09 19:10 UTCEPSS rescore
  18. 2026-07-09 06:49 UTCEG score recompute
  19. 2026-07-09 06:49 UTCGHSA enrichment
  20. 2026-07-08 16:25 UTCEG score recompute
  21. 2026-07-08 16:25 UTCGHSA enrichment
  22. 2026-07-08 15:16 UTCEPSS rescore
  23. 2026-07-07 13:46 UTCEPSS rescore
  24. 2026-07-06 16:27 UTCEPSS rescore
  25. 2026-07-06 02:23 UTCEPSS rescore
Show 75 more
  1. 2026-07-05 02:30 UTCEPSS rescore
  2. 2026-07-04 06:31 UTCEPSS rescore
  3. 2026-07-03 19:48 UTCEG score recompute
  4. 2026-07-03 19:48 UTCVendor advisory
  5. 2026-07-03 19:48 UTCGHSA enrichment
  6. 2026-07-03 00:27 UTCEG score recompute
  7. 2026-07-03 00:27 UTCVendor advisory
  8. 2026-07-03 00:26 UTCGHSA enrichment
  9. 2026-07-02 12:30 UTCEG score recompute
  10. 2026-07-02 12:30 UTCVendor advisory
  11. 2026-07-02 12:30 UTCGHSA enrichment
  12. 2026-07-01 23:22 UTCEG score recompute
  13. 2026-07-01 23:22 UTCVendor advisory
  14. 2026-07-01 23:22 UTCGHSA enrichment
  15. 2026-07-01 15:07 UTCEPSS rescore
  16. 2026-07-01 10:05 UTCEG score recompute
  17. 2026-07-01 10:05 UTCGHSA enrichment
  18. 2026-06-30 23:22 UTCEPSS rescore
  19. 2026-06-30 22:09 UTCEG score recompute
  20. 2026-06-30 22:09 UTCGHSA enrichment
  21. 2026-06-30 03:52 UTCEG score recompute
  22. 2026-06-30 03:52 UTCGHSA enrichment
  23. 2026-06-29 15:38 UTCEG score recompute
  24. 2026-06-29 15:38 UTCGHSA enrichment
  25. 2026-06-29 14:06 UTCEPSS rescore
  26. 2026-06-29 14:06 UTCEPSS rescore
  27. 2026-06-29 03:25 UTCEG score recompute
  28. 2026-06-29 03:25 UTCGHSA enrichment
  29. 2026-06-28 15:27 UTCEG score recompute
  30. 2026-06-28 15:27 UTCGHSA enrichment
  31. 2026-06-28 14:07 UTCEPSS rescore
  32. 2026-06-28 04:56 UTCEPSS rescore
  33. 2026-06-28 04:56 UTCEPSS rescore
  34. 2026-06-28 03:08 UTCEG score recompute
  35. 2026-06-28 03:08 UTCGHSA enrichment
  36. 2026-06-27 15:11 UTCEG score recompute
  37. 2026-06-27 15:11 UTCGHSA enrichment
  38. 2026-06-27 03:11 UTCEG score recompute
  39. 2026-06-27 03:11 UTCGHSA enrichment
  40. 2026-06-27 03:08 UTCEPSS rescore
  41. 2026-06-26 15:13 UTCEG score recompute
  42. 2026-06-26 15:13 UTCGHSA enrichment
  43. 2026-06-25 22:35 UTCEG score recompute
  44. 2026-06-25 22:35 UTCGHSA enrichment
  45. 2026-06-25 13:49 UTCEPSS rescore
  46. 2026-06-25 10:36 UTCEG score recompute
  47. 2026-06-25 10:36 UTCGHSA enrichment
  48. 2026-06-24 22:21 UTCEG score recompute
  49. 2026-06-24 22:21 UTCGHSA enrichment
  50. 2026-06-24 14:05 UTCEPSS rescore
  51. 2026-06-24 09:22 UTCEG score recompute
  52. 2026-06-24 09:22 UTCGHSA enrichment
  53. 2026-06-23 21:33 UTCEPSS rescore
  54. 2026-06-23 21:33 UTCEPSS rescore
  55. 2026-06-23 19:06 UTCEG score recompute
  56. 2026-06-23 19:05 UTCGHSA enrichment
  57. 2026-06-22 14:25 UTCEPSS rescore
  58. 2026-06-22 14:25 UTCEPSS rescore
  59. 2026-06-21 14:56 UTCEPSS rescore
  60. 2026-06-21 14:56 UTCEPSS rescore
  61. 2026-06-21 01:59 UTCEPSS rescore
  62. 2026-06-21 01:59 UTCEPSS rescore
  63. 2026-06-20 12:44 UTCEG score recompute
  64. 2026-06-20 12:44 UTCGHSA enrichment
  65. 2026-06-19 20:37 UTCEG score recompute
  66. 2026-06-19 20:37 UTCGHSA enrichment
  67. 2026-06-19 19:26 UTCEPSS rescore
  68. 2026-06-19 19:26 UTCEPSS rescore
  69. 2026-06-18 21:33 UTCEG score recompute
  70. 2026-06-18 21:33 UTCGHSA enrichment
  71. 2026-06-18 17:52 UTCEPSS rescore
  72. 2026-06-18 17:52 UTCEPSS rescore
  73. 2026-06-18 07:48 UTCEG score recompute
  74. 2026-06-18 07:48 UTCGHSA enrichment
  75. 2026-06-17 19:32 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-46253?
CVE-2026-46253 is a high vulnerability published on June 3, 2026. In the Linux kernel, the following vulnerability has been resolved: pstore/ram: fix buffer overflow in persistentramsave_old() persistentramsave_old() can be called multiple times for the same persistentramzone (e.g., via ramoopspstoreread -> ramoopsgetnext_prz for PSTORETYPEDMESG records).…
When was CVE-2026-46253 disclosed?
CVE-2026-46253 was first published in the National Vulnerability Database on June 3, 2026, with the most recent update on June 9, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-46253 actively exploited?
CVE-2026-46253 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 3.4% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-46253?
CVE-2026-46253 has a CVSS v3 base score of 7.8 (NVD).
How do I remediate CVE-2026-46253?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-46253, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-46253

Explore →

Is Your Infrastructure Affected by CVE-2026-46253?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.