CVE-2026-46128 - Vulnerability Details

- ipmi: Check event message buffer response for bad data

Description

In the Linux kernel, the following vulnerability has been resolved:

ipmi: Check event message buffer response for bad data

The event message buffer response data size got checked later when
processing, but check it right after the response comes back. It
appears some BMCs may return an empty message instead of an error
when fetching events.

There are apparently some new BMCs that make this error, so we need to
compensate.

Published: 2026-05-28

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from missing validation of an event message buffer returned by a BMC. Instead of rejecting an empty response, the kernel accepts it and proceeds to process the data, which can lead to a kernel crash or incorrect state handling. This failure to check response length can be triggered by a malicious or defective BMC, resulting in a denial of service on the host system. The impact is confined to the availability of the IPMI subsystem and potentially the overall system if the kernel panics.

Affected Systems

This flaw affects the Linux kernel when compiled with the default IPMI subsystem. All kernels that have not applied upstream changes that enforce a length check on the event buffer are vulnerable. No specific version range is listed, so any kernel prior to the application of the commit series referenced in the source log should be considered at risk. The affected vendor/product is Linux:Linux; the product name is Linux kernel.

Risk and Exploitability

The likely attack vector is remote, inferred from the fact that IPMI interfaces are typically accessed over network management channels: an attacker can manipulate a BMC or supply crafted data to the IPMI interface over the network. While an exact CVSS score is not provided, the flaw allows for a crash that can be repeated; its EPSS score is < 1% and the flaw is not currently in the CISA KEV catalog. Nonetheless, because IPMI is often accessible from host management networks, the potential for exploitation is significant. No public exploit has been observed, but the logic flaw presents a clear path for a denial‑of‑service condition.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 2418e4b21fb1355504d095da5d5f0a210564a43d
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 7f7ada72c07a83b46045ddfeee526bd9e2e3c8f0
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 42432b579a594b66ac32e5e7b7c26e6bc578ec89
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 24269264c3d59a49eb09b10af2c75b14f2931482
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 36920f30e78e69df01f9691c470b6f3ba8aebf98

Linux

affected

Version	Status	Constraints
`2.6.12`	affected	—
`0`	unaffected	< 2.6.12
`6.6.140`	unaffected	≤ 6.6.*
`6.12.88`	unaffected	≤ 6.12.*
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1-rc3`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,2418e4b21fb1355504d095da5d5f0a210564a43d)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,7f7ada72c07a83b46045ddfeee526bd9e2e3c8f0)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,42432b579a594b66ac32e5e7b7c26e6bc578ec89)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,24269264c3d59a49eb09b10af2c75b14f2931482)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,36920f30e78e69df01f9691c470b6f3ba8aebf98)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.12`	affected	semver	—
`[0,2.6.12)`	unaffected	semver	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.88,6.13.0)`	unaffected	semver	—
`[6.18.30,6.19.0)`	unaffected	semver	—
`[7.0.7,7.1.0)`	unaffected	semver	—
`[7.1-rc3,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to the latest Linux kernel release that includes the IPMI buffer length check fix.
If an update is not yet available, limit IPMI traffic to trusted management sources or block remote IPMI access using firewall rules or network segmentation.
Continuously monitor kernel logs for IPMI‑related errors or panics and alert system administrators when such events occur.
Disable the IPMI subsystem if it is not required for your environment.

Generated by OpenCVE AI on May 29, 2026 at 03:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2418e4b21fb1355504d095da5d5f0a210564a43d
https://git.kernel.org/stable/c/24269264c3d59a49eb09b10af2c75b14f2931482
https://git.kernel.org/stable/c/36920f30e78e69df01f9691c470b6f3ba8aebf98
https://git.kernel.org/stable/c/42432b579a594b66ac32e5e7b7c26e6bc578ec89
https://git.kernel.org/stable/c/7f7ada72c07a83b46045ddfeee526bd9e2e3c8f0
https://lore.kernel.org/linux-cve-announce/2026052816-CVE-2026-46128-f2d9@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46128
https://www.cve.org/CVERecord?id=CVE-2026-46128

History

Fri, 29 May 2026 02:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-129

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-390
References		https://lore.kernel.org/linux-cve-announce/2026052816-CVE-2026-46128-f2d9@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46128 https://www.cve.org/CVERecord?id=CVE-2026-46128

Thu, 28 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-129

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ipmi: Check event message buffer response for bad data The event message buffer response data size got checked later when processing, but check it right after the response comes back. It appears some BMCs may return an empty message instead of an error when fetching events. There are apparently some new BMCs that make this error, so we need to compensate.
Title		ipmi: Check event message buffer response for bad data
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2418e4b21fb1355504d095da5d5f0a210564a43d https://git.kernel.org/stable/c/24269264c3d59a49eb09b10af2c75b14f2931482 https://git.kernel.org/stable/c/36920f30e78e69df01f9691c470b6f3ba8aebf98 https://git.kernel.org/stable/c/42432b579a594b66ac32e5e7b7c26e6bc578ec89 https://git.kernel.org/stable/c/7f7ada72c07a83b46045ddfeee526bd9e2e3c8f0

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:35:43.326Z

Updated: 2026-05-28T09:35:43.326Z

Reserved: 2026-05-13T15:03:33.099Z

Link: CVE-2026-46128

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:28.373

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46128

Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46128 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T04:00:13Z

Weaknesses

CWE-390

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object