Description
In the Linux kernel, the following vulnerability has been resolved:

scsi: target: file: Use kzalloc_flex for aio_cmd

The target_core_file doesn't initialize the aio_cmd->iocb for the
ki_write_stream. When a write command fd_execute_rw_aio() is executed,
we may get a bogus ki_write_stream value, causing unintended write
failure status when checking iocb->ki_write_stream > max_write_streams
in the block device.

Let's just use kzalloc_flex when allocating the aio_cmd and let
ki_write_stream=0 to fix this issue.
Published: 2026-05-01
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel SCSI target subsystem contains a defect where the target_core_file module does not initialize the aio_cmd->iocb ki_write_stream field when handling a write command. The uninitialized field can mistakenly indicate a write stream count that exceeds the maximum, causing the kernel to return a failure status for the operation. This flaw, classified as CWE-824, may lead to data loss or operation failure for services that depend on correct write completion behavior. No direct path for code execution or privilege escalation is disclosed by the description, but the impact on data integrity and service availability is significant if the error propagates to user‑level processes.

Affected Systems

All Linux kernel releases that include the target_core_file module prior to the commit adding kzalloc_flex allocation and explicit ki_write_stream initialization are potentially vulnerable. Because no specific version numbers are listed, any unpatched kernel version that still uses the old allocation logic should be considered at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity kernel‑space flaw, but the EPSS score of <1% suggests that active exploitation is not currently documented. The likely attack vector is local or privileged execution that can submit write requests through the SCSI target interface, as the flaw is triggered by fd_execute_rw_aio(). Based on the description, it is inferred that remote exploitation without accessing the target device is not feasible. The vulnerability is not listed in CISA KEV catalog.

Generated by OpenCVE AI on May 7, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that incorporates the kzalloc_flex allocation change and sets ki_write_stream to zero during aio_cmd construction.
  • If an immediate kernel upgrade is not feasible, unload the target_core_file module or block its loading to eliminate the faulty path.
  • Alternatively, restrict write operations on the SCSI target interface through device or system policies to reduce the attack surface.

Generated by OpenCVE AI on May 7, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Sat, 02 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-457

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 01 May 2026 23:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-457

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: scsi: target: file: Use kzalloc_flex for aio_cmd The target_core_file doesn't initialize the aio_cmd->iocb for the ki_write_stream. When a write command fd_execute_rw_aio() is executed, we may get a bogus ki_write_stream value, causing unintended write failure status when checking iocb->ki_write_stream > max_write_streams in the block device. Let's just use kzalloc_flex when allocating the aio_cmd and let ki_write_stream=0 to fix this issue.
Title scsi: target: file: Use kzalloc_flex for aio_cmd
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:16:50.587Z

Reserved: 2026-05-01T14:12:55.980Z

Link: CVE-2026-43055

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:52.040

Modified: 2026-05-07T18:58:41.247

Link: CVE-2026-43055

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43055 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T20:45:22Z

Weaknesses