Description
In the Linux kernel, the following vulnerability has been resolved:

ibmasm: fix heap over-read in ibmasm_send_i2o_message()

The ibmasm_send_i2o_message() function uses get_dot_command_size() to
compute the byte count for memcpy_toio(), but this value is derived from
user-controlled fields in the dot_command_header (command_size: u8,
data_size: u16) and is never validated against the actual allocation size.
A root user can write a small buffer with inflated header fields, causing
memcpy_toio() to read up to ~65 KB past the end of the allocation into
adjacent kernel heap, which is then forwarded to the service processor
over MMIO.

Silently clamping the copy size is not sufficient: if the header fields
claim a larger size than the buffer, the SP receives a dot command whose
own header is inconsistent with the I2O message length, which can cause
the SP to desynchronize. Reject such commands outright by returning
failure.

Validate command_size before calling get_mfa_inbound() to avoid leaking
an I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware
frame from the controller's free pool, and returning without a
corresponding set_mfa_inbound() call would permanently exhaust it.

Additionally, clamp command_size to I2O_COMMAND_SIZE before the
memcpy_toio() so the MMIO write stays within the I2O message frame,
consistent with the clamping already performed by outgoing_message_size()
for the header field.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ibmasm_send_i2o_message() routine in the Linux kernel uses the command_size field of a user‑controlled dot command header to calculate the copy length for a memcpy_toio() operation, but this length is never validated against the actual allocation size. As a result, a locally privileged user can craft a dot command with inflated header values, causing the kernel to read up to approximately 65 KB beyond the end of the buffer. The over‑read data is then sent to the service processor over MMIO, exposing sensitive kernel memory content and potentially desynchronizing the processor by delivering an inconsistent I2O message header. This flaw is an instance of out‑of‑bounds read (CWE‑125).

Affected Systems

All Linux kernel distributions that include the buggy ibmasm_send_i2o_message() implementation are affected. No specific patched version list is provided, so any kernel built before the regression fix should be treated as vulnerable. The attacker requires root access and the capability to issue custom dot commands via the IBM ASM I2O interface.

Risk and Exploitability

The exploit requires local root privileges and involves submitting a specially crafted dot command header. Based on the description, it is inferred that the vulnerability poses a medium severity risk as reflected by the CVSS score of 5.5. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Consequently, remote exploitation is unlikely without prior local compromise, but the impact can lead to information disclosure and service processor desynchronization if exploited.

Generated by OpenCVE AI on May 28, 2026 at 05:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an updated Linux kernel that includes the ibmasm_send_i2o_message() fix.
  • Reboot the system so the patched kernel is active.
  • If a kernel upgrade cannot be applied immediately, disable the IBM ASM I2O interface or block malformed dot command submissions from privileged processes, enforcing strict validation of command sizes to prevent over‑read.

Generated by OpenCVE AI on May 28, 2026 at 05:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Thu, 28 May 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-68

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-68

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix heap over-read in ibmasm_send_i2o_message() The ibmasm_send_i2o_message() function uses get_dot_command_size() to compute the byte count for memcpy_toio(), but this value is derived from user-controlled fields in the dot_command_header (command_size: u8, data_size: u16) and is never validated against the actual allocation size. A root user can write a small buffer with inflated header fields, causing memcpy_toio() to read up to ~65 KB past the end of the allocation into adjacent kernel heap, which is then forwarded to the service processor over MMIO. Silently clamping the copy size is not sufficient: if the header fields claim a larger size than the buffer, the SP receives a dot command whose own header is inconsistent with the I2O message length, which can cause the SP to desynchronize. Reject such commands outright by returning failure. Validate command_size before calling get_mfa_inbound() to avoid leaking an I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware frame from the controller's free pool, and returning without a corresponding set_mfa_inbound() call would permanently exhaust it. Additionally, clamp command_size to I2O_COMMAND_SIZE before the memcpy_toio() so the MMIO write stays within the I2O message frame, consistent with the clamping already performed by outgoing_message_size() for the header field.
Title ibmasm: fix heap over-read in ibmasm_send_i2o_message()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:51:42.521Z

Reserved: 2026-05-13T15:03:33.095Z

Link: CVE-2026-46064

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:26.867

Modified: 2026-06-01T17:17:22.067

Link: CVE-2026-46064

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46064 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T05:45:05Z

Weaknesses