Description
In the Linux kernel, the following vulnerability has been resolved:

scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()

target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a
256-byte stack buffer, then will memcpy() cur_len bytes from that
buffer. snprintf() returns the length the output would have had, which
can exceed the buffer size when the fabric WWN is long because iSCSI IQN
names can be up to 223 bytes. The check at the memcpy() site only
guards the destination page write, not the source read, so memcpy() will
read past the stack buffer and copy adjacent stack contents to the sysfs
reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic()
will be triggered.

Commit 27e06650a5ea ("scsi: target: target_core_configfs: Add length
check to avoid buffer overflow") added the same bound to the
target_lu_gp_members_show() but the tg_pt_gp variant was missed so
resolve that here.
Published: 2026-05-28
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack buffer overflow occurs when the kernel formats SCSI target LUN paths into a 256‑byte buffer using snprintf(). If an iSCSI WWN name is close to the maximum length of 223 bytes, snprintf() reports a longer output than the buffer can hold. The subsequent memcpy() then reads past the end of the stack buffer, copying adjacent stack contents and exposing private data or triggering a kernel panic when CONFIG_FORTIFY_SOURCE is active. An attacker who can read the vulnerable sysfs entry can provoke this overflow, which can result in a kernel crash or disclosure of internal kernel memory. The weakness is a classic buffer overflow and uninitialized value usage (CWE‑120 and CWE‑674).

Affected Systems

All Linux kernel instances that have not incorporated the fix added by commit 27e06650a5ea. This applies to every distribution shipping a kernel version that lacks the mitigation for the tg_pt_gp_members_show() path. No specific version range was provided, so any kernel prior to the applied commit is considered vulnerable.

Risk and Exploitability

The vulnerability is local; it requires the attacker to read the vulnerable sysfs file. The EPSS score is below 1%, indicating a very low chance of exploitation. The CVSS score is 7.1, making it a high‑severity issue. The lack of an exploit in public reports or KEV listing suggests that exploitation is still of low probability, but the nature of a buffer overflow could cause a kernel crash or leak internal memory. Exploitation requires only low privilege (root or the ability to read sysfs), and the attack vector is inferred to local read access that triggers a kernel panic.

Generated by OpenCVE AI on June 10, 2026 at 22:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes commit 27e06650a5ea or later to patch the buffer overflow in tg_pt_gp_members_show().
  • If an update is not immediately possible, disable the target_core_configfs interface or remove SCSI target feature from the kernel configuration to eliminate the vulnerable code path.
  • Verify that the deployed kernel does not expose the problematic sysfs nodes; if they remain, consider restricting access to those files using ACLs or appropriate permissions to reduce attack surface.

Generated by OpenCVE AI on June 10, 2026 at 22:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-674
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Fri, 29 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Thu, 28 May 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer. snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes. The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered. Commit 27e06650a5ea ("scsi: target: target_core_configfs: Add length check to avoid buffer overflow") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.
Title scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:58:10.899Z

Reserved: 2026-05-13T15:03:33.101Z

Link: CVE-2026-46149

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:30.513

Modified: 2026-06-10T21:18:31.190

Link: CVE-2026-46149

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46149 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:00:20Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  • CWE-674

    Uncontrolled Recursion