## Summary Integer overflow in `_int_memalign` when computing `nb + alignment + MINSIZE` causes allocation of a tiny buffer while writing heap metadata at huge offsets, resulting in memory corruption. ## Vulnerable Code ```c // malloc/malloc.c:4701-4746 static void * _int_memalign (mstate av, size_t alignment, size_t bytes) { mchunkptr p, newp; if (bytes > PTRDIFF_MAX) // Only checks bytes { __set_errno (ENOMEM); return NULL; } size_t nb = checked_request2size (bytes); /* Call malloc with worst case padding to hit alignment. */ void *m = _int_malloc (av, nb + alignment + MINSIZE); // <-- OVERFLOW HERE if (m == NULL) return NULL; p = mem2chunk (m); ... size_t size = chunksize (p); // Returns tiny size from undersized chunk if (!PTR_IS_ALIGNED (m, alignment)) { ... set_head (newp, size | PREV_INUSE | arena_flag); // Writes at wrong offset set_inuse_bit_at_offset (newp, size); // Heap corruption ... } ``` When `alignment = 2^63` and `bytes ≈ PTRDIFF_MAX`, the sum wraps to ~0. The allocator returns a tiny chunk, but the code writes headers based on the expected huge size. ## Root Cause Commit `9bf8e29ca13` (2018-12-18, "malloc: make malloc fail with requests larger than PTRDIFF_MAX") removed the overflow guard that was added in `8e448310d7` (BZ#22343): ```c // Removed check: if (nb > SIZE_MAX - alignment - MINSIZE) { __set_errno(ENOMEM); return 0; } ``` The author assumed capping `bytes` at `PTRDIFF_MAX` was sufficient, but `alignment` can be up to `2^63`, making the sum still overflow. ## Affected Functions `posix_memalign`, `aligned_alloc`, `memalign`, `valloc`, `pvalloc` ## Reproduction ```c #include <stdlib.h> #include <stdint.h> int main(void) { void *p; posix_memalign(&p, 1ULL << 63, PTRDIFF_MAX - 0x30); return 0; } ``` **Result:** SIGSEGV in `_int_memalign` (heap metadata write beyond allocation). ``` 0x0000ffff97251eec in _int_memalign (av=av@entry=0xffff97360af0 <main_arena>, alignment=9223372036854775808, bytes=bytes@entry=9223372036854775759) at ./malloc/malloc.c:4999 #0 0x0000ffff97251eec in _int_memalign (av=av@entry=0xffff97360af0 <main_arena>, alignment=9223372036854775808, bytes=bytes@entry=9223372036854775759) at ./malloc/malloc.c:4999 #1 0x0000ffff972527bc in _mid_memalign (alignment=<optimized out>, alignment@entry=9223372036854775808, bytes=bytes@entry=9223372036854775759, address=<optimized out>) at ./malloc/malloc.c:3557 #2 0x0000ffff9725405c in __posix_memalign (size=9223372036854775759, alignment=9223372036854775808, memptr=0xffffe817a690) at ./malloc/malloc.c:5686 #3 __posix_memalign (memptr=0xffffe817a690, alignment=9223372036854775808, size=9223372036854775759) at ./malloc/malloc.c:5670 #4 0x0000aaaad93709ac in main () at memalign_overflow_poc.c:39 ``` Reported-by: Igor Morgenstern, Aisle Research
There is no known application impact for this issue.
The master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c9188d333717d3ceb7e3020011651f424f749f93 commit c9188d333717d3ceb7e3020011651f424f749f93 Author: Siddhesh Poyarekar <siddhesh@gotplt.org> Date: Thu Jan 15 06:06:40 2026 -0500 memalign: reinstate alignment overflow check (CVE-2026-0861) The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the overflow check for alignment in memalign functions, _mid_memalign and _int_memalign. Reinstate the overflow check in _int_memalign, aligned with the PTRDIFF_MAX change since that is directly responsible for the CVE. The missing _mid_memalign check is not relevant (and does not have a security impact) and may need a different approach to fully resolve, so it has been omitted. CVE-Id: CVE-2026-0861 Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 Reported-by: Igor Morgenstern, Aisle Research Fixes: BZ #33796 Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org>
The release/2.42/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b0ec8fb689df862171f0f78994a3bdeb51313545 commit b0ec8fb689df862171f0f78994a3bdeb51313545 Author: Siddhesh Poyarekar <siddhesh@gotplt.org> Date: Thu Jan 15 06:06:40 2026 -0500 memalign: reinstate alignment overflow check (CVE-2026-0861) The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the overflow check for alignment in memalign functions, _mid_memalign and _int_memalign. Reinstate the overflow check in _int_memalign, aligned with the PTRDIFF_MAX change since that is directly responsible for the CVE. The missing _mid_memalign check is not relevant (and does not have a security impact) and may need a different approach to fully resolve, so it has been omitted. CVE-Id: CVE-2026-0861 Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 Reported-by: Igor Morgenstern, Aisle Research Fixes: BZ #33796 Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org> (cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93)
The release/2.41/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1e2c1ea4307197ccece0cda574bcfebf9080894c commit 1e2c1ea4307197ccece0cda574bcfebf9080894c Author: Siddhesh Poyarekar <siddhesh@gotplt.org> Date: Thu Jan 15 06:06:40 2026 -0500 memalign: reinstate alignment overflow check (CVE-2026-0861) The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the overflow check for alignment in memalign functions, _mid_memalign and _int_memalign. Reinstate the overflow check in _int_memalign, aligned with the PTRDIFF_MAX change since that is directly responsible for the CVE. The missing _mid_memalign check is not relevant (and does not have a security impact) and may need a different approach to fully resolve, so it has been omitted. CVE-Id: CVE-2026-0861 Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 Reported-by: Igor Morgenstern, Aisle Research Fixes: BZ #33796 Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org> (cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93)
The release/2.40/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bfc4dd9e526eacf3017dd8864ba0848e9d045dd4 commit bfc4dd9e526eacf3017dd8864ba0848e9d045dd4 Author: Siddhesh Poyarekar <siddhesh@gotplt.org> Date: Thu Jan 15 06:06:40 2026 -0500 memalign: reinstate alignment overflow check (CVE-2026-0861) The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the overflow check for alignment in memalign functions, _mid_memalign and _int_memalign. Reinstate the overflow check in _int_memalign, aligned with the PTRDIFF_MAX change since that is directly responsible for the CVE. The missing _mid_memalign check is not relevant (and does not have a security impact) and may need a different approach to fully resolve, so it has been omitted. CVE-Id: CVE-2026-0861 Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 Reported-by: Igor Morgenstern, Aisle Research Fixes: BZ #33796 Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org> (cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93)
The release/2.39/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fb22fd3f5b415dd4cd6f7b5741c2f0412374e242 commit fb22fd3f5b415dd4cd6f7b5741c2f0412374e242 Author: Siddhesh Poyarekar <siddhesh@gotplt.org> Date: Thu Jan 15 06:06:40 2026 -0500 memalign: reinstate alignment overflow check (CVE-2026-0861) The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the overflow check for alignment in memalign functions, _mid_memalign and _int_memalign. Reinstate the overflow check in _int_memalign, aligned with the PTRDIFF_MAX change since that is directly responsible for the CVE. The missing _mid_memalign check is not relevant (and does not have a security impact) and may need a different approach to fully resolve, so it has been omitted. CVE-Id: CVE-2026-0861 Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 Reported-by: Igor Morgenstern, Aisle Research Fixes: BZ #33796 Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org> (cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93)
The release/2.38/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=744b63026a29f7eedbbc8e3a01a7f48a6eb0a085 commit 744b63026a29f7eedbbc8e3a01a7f48a6eb0a085 Author: Siddhesh Poyarekar <siddhesh@gotplt.org> Date: Thu Jan 15 06:06:40 2026 -0500 memalign: reinstate alignment overflow check (CVE-2026-0861) The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the overflow check for alignment in memalign functions, _mid_memalign and _int_memalign. Reinstate the overflow check in _int_memalign, aligned with the PTRDIFF_MAX change since that is directly responsible for the CVE. The missing _mid_memalign check is not relevant (and does not have a security impact) and may need a different approach to fully resolve, so it has been omitted. CVE-Id: CVE-2026-0861 Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 Reported-by: Igor Morgenstern, Aisle Research Fixes: BZ #33796 Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org> (cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93)
The release/2.37/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7b913d41a07836def826f2164c52541a9835f324 commit 7b913d41a07836def826f2164c52541a9835f324 Author: Siddhesh Poyarekar <siddhesh@gotplt.org> Date: Thu Jan 15 06:06:40 2026 -0500 memalign: reinstate alignment overflow check (CVE-2026-0861) The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the overflow check for alignment in memalign functions, _mid_memalign and _int_memalign. Reinstate the overflow check in _int_memalign, aligned with the PTRDIFF_MAX change since that is directly responsible for the CVE. The missing _mid_memalign check is not relevant (and does not have a security impact) and may need a different approach to fully resolve, so it has been omitted. CVE-Id: CVE-2026-0861 Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 Reported-by: Igor Morgenstern, Aisle Research Fixes: BZ #33796 Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org> (cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93)
The release/2.36/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fb6b8822175769b5794fb6ea04f2895483a29b61 commit fb6b8822175769b5794fb6ea04f2895483a29b61 Author: Siddhesh Poyarekar <siddhesh@gotplt.org> Date: Thu Jan 15 06:06:40 2026 -0500 memalign: reinstate alignment overflow check (CVE-2026-0861) The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the overflow check for alignment in memalign functions, _mid_memalign and _int_memalign. Reinstate the overflow check in _int_memalign, aligned with the PTRDIFF_MAX change since that is directly responsible for the CVE. The missing _mid_memalign check is not relevant (and does not have a security impact) and may need a different approach to fully resolve, so it has been omitted. CVE-Id: CVE-2026-0861 Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 Reported-by: Igor Morgenstern, Aisle Research Fixes: BZ #33796 Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org> (cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93)
The release/2.35/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=499d1ccafccfe64df1b88deea2fa84d8180e8e8f commit 499d1ccafccfe64df1b88deea2fa84d8180e8e8f Author: Siddhesh Poyarekar <siddhesh@gotplt.org> Date: Thu Jan 15 06:06:40 2026 -0500 memalign: reinstate alignment overflow check (CVE-2026-0861) The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the overflow check for alignment in memalign functions, _mid_memalign and _int_memalign. Reinstate the overflow check in _int_memalign, aligned with the PTRDIFF_MAX change since that is directly responsible for the CVE. The missing _mid_memalign check is not relevant (and does not have a security impact) and may need a different approach to fully resolve, so it has been omitted. CVE-Id: CVE-2026-0861 Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 Reported-by: Igor Morgenstern, Aisle Research Fixes: BZ #33796 Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org> (cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93)
The release/2.34/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2c77e52108a58956c9f674b36e1f59a4e3fdcf4d commit 2c77e52108a58956c9f674b36e1f59a4e3fdcf4d Author: Siddhesh Poyarekar <siddhesh@gotplt.org> Date: Thu Jan 15 06:06:40 2026 -0500 memalign: reinstate alignment overflow check (CVE-2026-0861) The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the overflow check for alignment in memalign functions, _mid_memalign and _int_memalign. Reinstate the overflow check in _int_memalign, aligned with the PTRDIFF_MAX change since that is directly responsible for the CVE. The missing _mid_memalign check is not relevant (and does not have a security impact) and may need a different approach to fully resolve, so it has been omitted. CVE-Id: CVE-2026-0861 Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 Reported-by: Igor Morgenstern, Aisle Research Fixes: BZ #33796 Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org> (cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93)
The release/2.33/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=011293b4fd748cdd6f95874ba2b6aba9a3df8bff commit 011293b4fd748cdd6f95874ba2b6aba9a3df8bff Author: Siddhesh Poyarekar <siddhesh@gotplt.org> Date: Thu Jan 15 06:06:40 2026 -0500 memalign: reinstate alignment overflow check (CVE-2026-0861) The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the overflow check for alignment in memalign functions, _mid_memalign and _int_memalign. Reinstate the overflow check in _int_memalign, aligned with the PTRDIFF_MAX change since that is directly responsible for the CVE. The missing _mid_memalign check is not relevant (and does not have a security impact) and may need a different approach to fully resolve, so it has been omitted. CVE-Id: CVE-2026-0861 Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 Reported-by: Igor Morgenstern, Aisle Research Fixes: BZ #33796 Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org> (cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93)
The release/2.32/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8aef9e7a7af9565c0324b4ecb38b30dfa3782fd8 commit 8aef9e7a7af9565c0324b4ecb38b30dfa3782fd8 Author: Siddhesh Poyarekar <siddhesh@gotplt.org> Date: Thu Jan 15 06:06:40 2026 -0500 memalign: reinstate alignment overflow check (CVE-2026-0861) The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the overflow check for alignment in memalign functions, _mid_memalign and _int_memalign. Reinstate the overflow check in _int_memalign, aligned with the PTRDIFF_MAX change since that is directly responsible for the CVE. The missing _mid_memalign check is not relevant (and does not have a security impact) and may need a different approach to fully resolve, so it has been omitted. CVE-Id: CVE-2026-0861 Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 Reported-by: Igor Morgenstern, Aisle Research Fixes: BZ #33796 Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org> (cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93)
The release/2.31/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f18446d7b4a423090ee5e328c36b3c2a0f26041c commit f18446d7b4a423090ee5e328c36b3c2a0f26041c Author: Siddhesh Poyarekar <siddhesh@gotplt.org> Date: Thu Jan 15 06:06:40 2026 -0500 memalign: reinstate alignment overflow check (CVE-2026-0861) The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the overflow check for alignment in memalign functions, _mid_memalign and _int_memalign. Reinstate the overflow check in _int_memalign, aligned with the PTRDIFF_MAX change since that is directly responsible for the CVE. The missing _mid_memalign check is not relevant (and does not have a security impact) and may need a different approach to fully resolve, so it has been omitted. CVE-Id: CVE-2026-0861 Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 Reported-by: Igor Morgenstern, Aisle Research Fixes: BZ #33796 Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org> (cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93)
The release/2.30/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7f19ef14fbce095d4c77395e258320cad2ea2b28 commit 7f19ef14fbce095d4c77395e258320cad2ea2b28 Author: Siddhesh Poyarekar <siddhesh@gotplt.org> Date: Thu Jan 15 06:06:40 2026 -0500 memalign: reinstate alignment overflow check (CVE-2026-0861) The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the overflow check for alignment in memalign functions, _mid_memalign and _int_memalign. Reinstate the overflow check in _int_memalign, aligned with the PTRDIFF_MAX change since that is directly responsible for the CVE. The missing _mid_memalign check is not relevant (and does not have a security impact) and may need a different approach to fully resolve, so it has been omitted. CVE-Id: CVE-2026-0861 Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 Reported-by: Igor Morgenstern, Aisle Research Fixes: BZ #33796 Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com> Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org> (cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93)
Fixed in all branches.