CVE-2026-46105 - Vulnerability Details

- scsi: mpt3sas: Limit NVMe request size to 2 MiB

Description

In the Linux kernel, the following vulnerability has been resolved:

scsi: mpt3sas: Limit NVMe request size to 2 MiB

The HBA firmware reports NVMe MDTS values based on the underlying drive
capability. However, because the driver allocates a fixed 4K buffer for
the PRP list, accommodating at most 512 entries, the driver supports a
maximum I/O transfer size of 2 MiB.

Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB
driver limit to prevent issuing oversized I/O that may lead to a kernel
oops.

Published: 2026-05-28

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In Linux, the mpt3sas SCSI driver allocates a fixed 4 KB PRP list buffer that can hold 512 entries, capping the maximum single I/O transfer to 2 MiB. The driver does not enforce this internal limit when the underlying NVMe device reports a larger maximum data transfer size (MDTS). If a request larger than 2 MiB is issued, the driver attempts to build a PRP list that overflows the allocated buffer, which can trigger a kernel oops and bring the host down. This vulnerability is a classic bounds‑check failure that directly compromises kernel integrity.

Affected Systems

All Linux kernels that include the mpt3sas driver are affected, regardless of the vendor’s distribution. Any system that uses an HBA with mpt3sas support and connects to NVMe devices capable of reporting an MDTS larger than 2 MiB could be impacted. No specific kernel release is listed, so any kernel prior to the patch that implements the size check is potentially vulnerable.

Risk and Exploitability

The CVSS score is 5.5 and it is not listed in the CISA KEV catalog, indicating a moderate severity kernel crash. Based on the description, it is inferred that local or privileged users who can control the size of NVMe I/O requests could trigger the failure; remote exploitation would require a mechanism to influence such requests on the target machine. The EPSS score is 0.00017, indicating a very low probability of automated exploitation, but the specialized hardware context suggests the risk is low to moderate without active targeting.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`9b8b84879d4adc506b0d3944e20b28d9f3f6994b`	affected	< 45dcc815fc5539e88154315f36cbcb11d3a52fc2
`9b8b84879d4adc506b0d3944e20b28d9f3f6994b`	affected	< e5f9824817c6358b9f9738bdb92dec9e4e794d3c
`9b8b84879d4adc506b0d3944e20b28d9f3f6994b`	affected	< 04631f55afc543d5431a2bdee7f6cc0f2c0debe7

Linux

affected

Version	Status	Constraints
`6.17`	affected	—
`0`	unaffected	< 6.17
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1-rc3`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[9b8b84879d4adc506b0d3944e20b28d9f3f6994b,45dcc815fc5539e88154315f36cbcb11d3a52fc2)`	affected	code_commit	—
`[9b8b84879d4adc506b0d3944e20b28d9f3f6994b,e5f9824817c6358b9f9738bdb92dec9e4e794d3c)`	affected	code_commit	—
`[9b8b84879d4adc506b0d3944e20b28d9f3f6994b,04631f55afc543d5431a2bdee7f6cc0f2c0debe7)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.17`	affected	generic	—
`[0,6.17)`	unaffected	semver	—
`[6.18.30,6.19.0)`	unaffected	semver	—
`[7.0.7,7.1.0)`	unaffected	semver	—
`[7.1-rc3,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a version that includes the patch limiting NVMe request size to 2 MiB
If no update is immediately possible, configure the system to enforce a per‑device sector limit that is below the 2 MiB threshold, for example by tuning the VM's logical sector size or using device‑mapper limits
If acceptable, block or restrict user access to NVMe block devices so that only trusted daemons can issue large I/O requests
Monitor kernel logs for NVMe‑related oops entries and investigate any suspicious activity

Generated by OpenCVE AI on May 29, 2026 at 04:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/04631f55afc543d5431a2bdee7f6cc0f2c0debe7
https://git.kernel.org/stable/c/45dcc815fc5539e88154315f36cbcb11d3a52fc2
https://git.kernel.org/stable/c/e5f9824817c6358b9f9738bdb92dec9e4e794d3c
https://lore.kernel.org/linux-cve-announce/2026052811-CVE-2026-46105-965c@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46105
https://www.cve.org/CVERecord?id=CVE-2026-46105

History

Fri, 29 May 2026 03:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-119 CWE-787

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-131
References		https://lore.kernel.org/linux-cve-announce/2026052811-CVE-2026-46105-965c@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46105 https://www.cve.org/CVERecord?id=CVE-2026-46105
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Thu, 28 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-787

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Limit NVMe request size to 2 MiB The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB. Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.
Title		scsi: mpt3sas: Limit NVMe request size to 2 MiB
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/04631f55afc543d5431a2bdee7f6cc0f2c0debe7 https://git.kernel.org/stable/c/45dcc815fc5539e88154315f36cbcb11d3a52fc2 https://git.kernel.org/stable/c/e5f9824817c6358b9f9738bdb92dec9e4e794d3c

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:35:09.126Z

Updated: 2026-05-28T09:35:09.126Z

Reserved: 2026-05-13T15:03:33.097Z

Link: CVE-2026-46105

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:25.850

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46105

Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46105 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T05:00:07Z

Weaknesses

CWE-131

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object