In the Linux kernel, the following vulnerability has been resolved:
dm log: fix out-of-bounds write due to region_count overflow
The local variable regioncount in createlogcontext() is declared as unsigned int (32-bit), but dmsectordivup() returns sectort (64-bit). When a device-mapper target has a sufficiently large ti->len with a small regionsize, the division result can exceed UINTMAX. The truncated value is then used to calculate bitsetsize, causing cleanbits, syncbits, and recovering_bits to be allocated far smaller than needed for the actual number of regions.
Subsequent log operations (logsetbit, logclearbit, logtestbit) use region indices derived from the full untruncated region space, causing out-of-bounds writes to kernel heap memory allocated by vmalloc.
This can be reproduced by creating a mirror target whose region_count overflows 32 bits:
dmsetup create bigzero --table '0 8589934594 zero' dmsetup create mymirror --table '0 8589934594 mirror \ core 2 2 nosync 2 /dev/mapper/bigzero 0 \ /dev/mapper/bigzero 0'
The status output confirms the truncation (sync_count=1 instead of 4294967297, because 0x100000001 was truncated to 1):
$ dmsetup status mymirror 0 8589934594 mirror 2 254:1 254:1 1/4294967297 ...
This leads to a kernel crash in coreinsync:
BUG: scheduling while atomic: (udev-worker)/9150/0x00000000 RIP: 0010:coreinsync+0x14/0x30 [dm_log] CR2: 0000000000000008 Fixing recursive fault but reboot is needed!
Fix by widening the local regioncount to sectort and adding an explicit overflow check before the value is assigned to lc->region_count.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53059.json",
"cna_assigner": "Linux"
}