Description
In the Linux kernel, the following vulnerability has been resolved:

scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()

target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a
256-byte stack buffer, then will memcpy() cur_len bytes from that
buffer. snprintf() returns the length the output would have had, which
can exceed the buffer size when the fabric WWN is long because iSCSI IQN
names can be up to 223 bytes. The check at the memcpy() site only
guards the destination page write, not the source read, so memcpy() will
read past the stack buffer and copy adjacent stack contents to the sysfs
reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic()
will be triggered.

Commit 27e06650a5ea ("scsi: target: target_core_configfs: Add length
check to avoid buffer overflow") added the same bound to the
target_lu_gp_members_show() but the tg_pt_gp variant was missed so
resolve that here.
Published: 2026-05-28
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack buffer overflow occurs when the kernel formats SCSI target LUN paths into a 256‑byte buffer using snprintf(). If an iSCSI WWN name is close to the maximum length of 223 bytes, snprintf() reports a longer output than the buffer can hold. The subsequent memcpy() then reads past the end of the stack buffer, copying adjacent stack contents and exposing private data or triggering a kernel panic when CONFIG_FORTIFY_SOURCE is active. An attacker who can read the vulnerable sysfs entry can provoke this overflow, which can result in a kernel crash or disclosure of internal kernel memory. The weakness is a classic buffer overflow (CWE‑119).

Affected Systems

All Linux kernel instances that have not incorporated the fix added by commit 27e06650a5ea. This applies to every distribution shipping a kernel version that lacks the mitigation for the tg_pt_gp_members_show() path. No specific version range was provided, so any kernel prior to the applied commit is considered vulnerable.

Risk and Exploitability

The vulnerability is local; it requires the attacker to read the affected sysfs file. While the EPSS score is not available and the issue is not listed in CISA KEV, the safe‑assumption is high risk due to the severity of a buffer overflow that can crash the kernel. The CVSS score is not given, but the description indicates a high likelihood of denial of service. Exploitation requires only low privilege (root or the ability to read sysfs), and the attack vector is inferred to be local read access that triggers a kernel panic.

Generated by OpenCVE AI on May 28, 2026 at 11:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes commit 27e06650a5ea or later to patch the buffer overflow in tg_pt_gp_members_show().
  • If an update is not immediately possible, disable the target_core_configfs interface or remove the SCSI target feature from the kernel configuration to eliminate the vulnerable code path.
  • Verify that the deployed kernel does not expose the problematic sysfs nodes; if they remain, consider restricting access to those files using ACLs or appropriate permissions to reduce attack surface.

Generated by OpenCVE AI on May 28, 2026 at 11:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer. snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes. The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered. Commit 27e06650a5ea ("scsi: target: target_core_configfs: Add length check to avoid buffer overflow") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.
Title scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-28T09:36:05.706Z

Reserved: 2026-05-13T15:03:33.101Z

Link: CVE-2026-46149

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:30.513

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46149

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T11:45:16Z

Weaknesses