Description
In the Linux kernel, the following vulnerability has been resolved:

scsi: qla2xxx: Sanitize payload size to prevent member overflow

In qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_size
reported by firmware is used to calculate the copy length into
item->iocb. However, the iocb member is defined as a fixed-size 64-byte
array within struct purex_item.

If the reported frame_size exceeds 64 bytes, subsequent memcpy calls will
overflow the iocb member boundary. While extra memory might be allocated,
this cross-member write is unsafe and triggers warnings under
CONFIG_FORTIFY_SOURCE.

Fix this by capping total_bytes to the size of the iocb member (64 bytes)
before allocation and copying. This ensures all copies remain within the
bounds of the destination structure member.
Published: 2026-02-04
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel memory corruption leading to privilege escalation
Action: Immediate Patch
AI Analysis

Impact

This vulnerability occurs when the qla2xxx driver copies a firmware‑reported frame size into a fixed‑size 64‑byte buffer without validating the size. If the firmware reports a value larger than 64 bytes, the driver performs a memcpy that writes past the array boundary. The write corrupts adjacent memory in kernel space, which can be leveraged to execute arbitrary code or crash the system. The impact can be escalation of privileges from a local user to root, denial of service, or potential remote compromise if the attacker can control device firmware or messages.

Affected Systems

All Linux kernel releases that include the qla2xxx SCSI driver and the qla27xx subnet modules before the patch. The affected vendor is the Linux community and the kernel maintainer for the qla2xxx driver. The patch references commit identifiers that address the buffer overflow. Users of QLogic SCSI devices running an unpatched kernel are affected.

Risk and Exploitability

The CVSS score of 7.0 indicates a high severity vulnerability. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, but the absence of a KEV list does not guarantee that no exploits exist. The overflow occurs in kernel mode, so exploitation requires a local attacker who can communicate with the QLogic device or send malformed firmware data. With this boundary check missing, an attacker can craft a payload that triggers the overflow, potentially leading to arbitrary kernel code execution or system crash. Given the kernel’s privileged context, the impact is severe if successfully exploited.

Generated by OpenCVE AI on April 17, 2026 at 23:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version containing the fix that caps the copy length at 64 bytes, as referenced by the commit IDs linked in the advisory.
  • If an updated kernel is not available, remove or disable the qla2xxx driver or disconnect the QLogic SCSI hardware to eliminate the vulnerable code path.
  • Enable kernel hardening options such as CONFIG_FORTIFY_SOURCE to add bounds checking to vulnerable functions as a temporary precaution.

Generated by OpenCVE AI on April 17, 2026 at 23:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6126-1 linux security update
History

Sat, 18 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-188

Thu, 05 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 04 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Sanitize payload size to prevent member overflow In qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_size reported by firmware is used to calculate the copy length into item->iocb. However, the iocb member is defined as a fixed-size 64-byte array within struct purex_item. If the reported frame_size exceeds 64 bytes, subsequent memcpy calls will overflow the iocb member boundary. While extra memory might be allocated, this cross-member write is unsafe and triggers warnings under CONFIG_FORTIFY_SOURCE. Fix this by capping total_bytes to the size of the iocb member (64 bytes) before allocation and copying. This ensures all copies remain within the bounds of the destination structure member.
Title scsi: qla2xxx: Sanitize payload size to prevent member overflow
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:37:57.590Z

Reserved: 2026-01-13T15:37:45.952Z

Link: CVE-2026-23059

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-02-04T17:16:16.583

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23059

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23059 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:45:25Z

Weaknesses