Description
In the Linux kernel, the following vulnerability has been resolved:

scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()

A malicious or compromised VIO server can return a num_written value in the
discover targets MAD response that exceeds max_targets. This value is
stored directly in vhost->num_targets without validation, and is then used
as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which
is only allocated for max_targets entries. Indices at or beyond max_targets
access kernel memory outside the DMA-coherent allocation. The
out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI
MADs that are sent back to the VIO server, leaking kernel memory.

Fix by clamping num_written to max_targets before storing it.
Published: 2026-04-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux ibmvfc SCSI driver includes an unchecked “num_written” value returned by a VIO server. When this value exceeds the allocated target array size, it is stored in vhost->num_targets and later used as a loop bound during target allocation. Because the buffer is only sized for max_targets entries, the driver indexes beyond the allocation and reads kernel memory located outside the DMA‑coherent buffer. The data read is subsequently piggybacked into Implicit Logout and PLOGI messages sent back to the VIO server, allowing an attacker to obtain arbitrary kernel memory. This out-of-bounds read aligns with CWE‑125 (Out‑of‑bounds Read) and CWE‑1285 (Improper Bound Checking).

Affected Systems

All Linux kernel builds that include the ibmvfc driver before the fix are affected. No specific version range is supplied, so any kernel with the vulnerable code prior to the commit that clamps “num_written” to “max_targets” is susceptible. Updating to a kernel version that incorporates the relevant commit resolves the issue.

Risk and Exploitability

An attacker who can control or compromise a VIO server can send a crafted discovery targets MAD to a Linux host. No local privileges are required; the exploit relies solely on network communication with the SCSI driver. The vulnerability is not listed in the CISA KEV catalog, and the EPSS score is < 1%, indicating a very low but non‑zero probability of exploitation. The CVSS score of 8.1 classifies the flaw as high severity. The risk still hinges on the presence of untrusted VIO traffic within the trusted network segment of the host.

Generated by OpenCVE AI on May 7, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a release that incorporates the ibmvfc OOB read fix (e.g., after the commit that clamps num_written to max_targets).
  • Restart the host or reload the kernel modules to ensure the updated driver is active and no legacy ibmvfc modules remain loaded.
  • Restrict VIO server access by configuring firewalls or network segmentation so that only authorized VIO servers can communicate with the host.

Generated by OpenCVE AI on May 7, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Thu, 07 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Tue, 28 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() A malicious or compromised VIO server can return a num_written value in the discover targets MAD response that exceeds max_targets. This value is stored directly in vhost->num_targets without validation, and is then used as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which is only allocated for max_targets entries. Indices at or beyond max_targets access kernel memory outside the DMA-coherent allocation. The out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI MADs that are sent back to the VIO server, leaking kernel memory. Fix by clamping num_written to max_targets before storing it.
Title scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:09:14.078Z

Reserved: 2026-03-09T15:48:24.097Z

Link: CVE-2026-31464

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:42.450

Modified: 2026-05-07T18:28:45.780

Link: CVE-2026-31464

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31464 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T19:30:27Z

Weaknesses
  • CWE-125

    Out-of-bounds Read

  • CWE-1285

    Improper Validation of Specified Index, Position, or Offset in Input