In the Linux kernel, the following vulnerability has been resolved:
mtd: spi-nor: debugfs: fix out-of-bounds read in spinorparams_show()
Sashiko noticed an out-of-bounds read [1].
In spinorparamsshow(), the snorfnames array is passed to spinorprintflags() using sizeof(snorfnames).
Since snorfnames is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers (element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.
Inside spinorprintflags(), the 'nameslen' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.
Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46190.json"
}