In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix u32 overflow in pushbuf reloc bounds check nouveau_gem_pushbuf_reloc_apply() validates each relocation with if (r->reloc_bo_offset + 4 > nvbo->bo.base.size) but reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer literal 4 promotes to unsigned int, so the addition is performed in 32 bits and wraps before the comparison against the size_t bo size. Cast to u64 so the addition happens in 64-bit arithmetic. [ Add Fixes: tag. - Danilo ]

A flaw was found in the Linux kernel's `drm/nouveau` driver. An integer overflow vulnerability exists in the `nouveau_gem_pushbuf_reloc_apply()` function. This occurs when a 32-bit unsigned integer `reloc_bo_offset` is used in a bounds check, and the addition of a small value can cause it to wrap around, leading to an incorrect comparison against the buffer size. This issue could potentially result in memory corruption or other unspecified security impacts.

Red Hat Enterprise Linux 10 Not affected kernel Red Hat Enterprise Linux 6 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel-rt Red Hat Enterprise Linux 8 Not affected kernel Red Hat Enterprise Linux 8 Not affected kernel-rt Red Hat Enterprise Linux 9 Not affected kernel Red Hat Enterprise Linux 9 Not affected kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-46006 https://nvd.nist.gov/vuln/detail/CVE-2026-46006 https://lore.kernel.org/linux-cve-announce/2026052743-CVE-2026-46006-2a21@gregkh/T