{"id":"CVE-2026-46006","summary":"drm/nouveau: fix u32 overflow in pushbuf reloc bounds check","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix u32 overflow in pushbuf reloc bounds check\n\nnouveau_gem_pushbuf_reloc_apply() validates each relocation with\n\n    if (r-\u003ereloc_bo_offset + 4 \u003e nvbo-\u003ebo.base.size)\n\nbut reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer\nliteral 4 promotes to unsigned int, so the addition is performed in 32\nbits and wraps before the comparison against the size_t bo size.\n\nCast to u64 so the addition happens in 64-bit arithmetic.\n\n[ Add Fixes: tag. - Danilo ]","modified":"2026-06-05T18:29:27.480736695Z","published":"2026-05-27T12:56:05.273Z","related":["openSUSE-SU-2026:10954-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46006.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2fc87d37be1b730a149b035f9375fdb8cc5333a5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/332884f5eb79dd60a7162b079d09d39208567a31"},{"type":"WEB","url":"https://git.kernel.org/stable/c/45a45184b9c0b0b26ead06e370cda2073616a7cc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/573a1104bd36e49c067a9dc62e7c476d5ee7e92a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d749a9a0ee4014681487e7ae549901aa8c176637"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e441d5c23ec644c8d27593db3b8928e8933512a9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fa297e919d1680c38ab268ff952b1698dac987f6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46006.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46006"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a1606a9596e54da90ad6209071b357a4c1b0fa82"},{"fixed":"573a1104bd36e49c067a9dc62e7c476d5ee7e92a"},{"fixed":"45a45184b9c0b0b26ead06e370cda2073616a7cc"},{"fixed":"fa297e919d1680c38ab268ff952b1698dac987f6"},{"fixed":"d749a9a0ee4014681487e7ae549901aa8c176637"},{"fixed":"332884f5eb79dd60a7162b079d09d39208567a31"},{"fixed":"e441d5c23ec644c8d27593db3b8928e8933512a9"},{"fixed":"2fc87d37be1b730a149b035f9375fdb8cc5333a5"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46006.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.34"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.140"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.86"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.27"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46006.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}