CVE-2026-52905
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
A vulnerability was found in the Linux kernel's DAMON (Data Access Monitoring) subsystem. The damon_start() function did not validate whether the min_region_sz parameter is a power of two, allowing unaligned region address ranges. The issue has been fixed in a newer kernel version.
Risk Assessment
Organizations may face unpredictable memory access monitoring behavior, potentially leading to system errors or performance degradation. An attacker with local access could exploit this flaw to destabilize the system.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit patching damon_start()). Prior to updating, restrict access to the DAMON sysfs interface to trusted users only.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: disallow non-power of two min_region_sz on damon_start() Commit d8f867fa0825 ("mm/damon: add damon_ctx->min_sz_region") introduced a bug that allows unaligned DAMON region address ranges. Commit c80f46ac228b ("mm/damon/core: disallow non-power of two min_region_sz") fixed it, but only for damon_commit_ctx() use case. Still, DAMON sysfs interface can emit non-power of two min_region_sz via damon_start(). Fix the path by adding the is_power_of_2() check on damon_start(). The issue was discovered by sashiko [1].

