Description
In the Linux kernel, the following vulnerability has been resolved:

misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()

ibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read
when the queue reader or writer index from hardware exceeds
REMOTE_QUEUE_SIZE (60).

A compromised service processor can trigger this by writing an
out-of-range value to the reader or writer MMIO register before
asserting an interrupt. Since writer is re-read from hardware on
every loop iteration, it can also be set to an out-of-range value
after the loop has already started.

The root cause is that get_queue_reader() and get_queue_writer() return
raw readl() values that are passed directly into get_queue_entry(),
which computes:

queue_begin + reader * sizeof(struct remote_input)

with no bounds check. This unchecked MMIO address is then passed to
memcpy_fromio(), reading 8 bytes from unintended device registers.
For sufficiently large values the address falls outside the PCI BAR
mapping entirely, triggering a machine check exception.

Fix by checking both indices against REMOTE_QUEUE_SIZE at the top of
the loop body, before any call to get_queue_entry(). On an out-of-range
value, reset the reader register to 0 via set_queue_reader() before
breaking, so that normal queue operation can resume if the corrupted
hardware state is transient.
Published: 2026-05-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ibmasm mouse‑interrupt routine in the Linux kernel reads reader and writer indices directly from hardware MMIO registers and uses them to compute an address for a memory copy. Because the routine performs no bounds check, an attacker can write out‑of‑range values to those registers, causing the kernel to perform an out‑of‑bounds MMIO read through memcpy_fromio. For sufficiently large indices this results in a machine‑check exception that corrupts the state of the kernel and leads to a reboot. This flaw is a classic bounds‑check and integer‑overflow defect (CWE‑1285).

Affected Systems

Any Linux kernel that includes the ibmasm module and has not applied the patch that added bounds checks to the queue index handling is potentially vulnerable. Administrators should verify the presence of the fix in their kernel release, but treat all current kernels with ibmasm support as at risk until the patch is confirmed.

Risk and Exploitability

With a CVSS score of 5.5 the vulnerability carries a medium severity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog, indicating no known large‑scale exploitation. Attackers would need privileged access to the service processor’s MMIO registers to write arbitrary reader or writer values, which is typically outside the scope of unprivileged users. Nonetheless, a compromised or trusted service processor could trigger a denial‑of‑service event and reboot the host.

Generated by OpenCVE AI on May 28, 2026 at 04:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel release that contains the ibmasm MMIO boundary‑check patch.
  • If a kernel upgrade cannot be performed immediately, restrict or isolate access to the service processor’s MMIO registers so that only trusted firmware can modify the reader and writer indices.
  • If ibmasm is not required on the system, disable or unload the ibmasm device module to prevent the vulnerable code path from executing.

Generated by OpenCVE AI on May 28, 2026 at 04:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Thu, 28 May 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt() ibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read when the queue reader or writer index from hardware exceeds REMOTE_QUEUE_SIZE (60). A compromised service processor can trigger this by writing an out-of-range value to the reader or writer MMIO register before asserting an interrupt. Since writer is re-read from hardware on every loop iteration, it can also be set to an out-of-range value after the loop has already started. The root cause is that get_queue_reader() and get_queue_writer() return raw readl() values that are passed directly into get_queue_entry(), which computes: queue_begin + reader * sizeof(struct remote_input) with no bounds check. This unchecked MMIO address is then passed to memcpy_fromio(), reading 8 bytes from unintended device registers. For sufficiently large values the address falls outside the PCI BAR mapping entirely, triggering a machine check exception. Fix by checking both indices against REMOTE_QUEUE_SIZE at the top of the loop body, before any call to get_queue_entry(). On an out-of-range value, reset the reader register to 0 via set_queue_reader() before breaking, so that normal queue operation can resume if the corrupted hardware state is transient.
Title misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:48:35.855Z

Reserved: 2026-05-13T15:03:33.092Z

Link: CVE-2026-46022

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:20.670

Modified: 2026-06-16T15:55:32.137

Link: CVE-2026-46022

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46022 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T04:45:07Z

Weaknesses
  • CWE-125

    Out-of-bounds Read

  • CWE-1285

    Improper Validation of Specified Index, Position, or Offset in Input