Description
In the Linux kernel, the following vulnerability has been resolved:

KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic

kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and
aen_host_forward() index the GAIT by manually multiplying the index
with sizeof(struct zpci_gaite).

Since aift->gait is already a struct zpci_gaite pointer, this
double-scales the offset, accessing element aisb*16 instead of aisb.

This causes out-of-bounds accesses when aisb >= 32 (with
ZPCI_NR_DEVICES=512)

Fix by removing the erroneous sizeof multiplication.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug occurs in the Linux kernel’s KVM s390 PCI AIF support, where the code mistakenly multiplies a GAIT table index with the size of its element, resulting in a double‑scaled offset. This causes out‑of‑bounds reads when the index exceeds 31 on a system with 512 ZPCI devices. The flaw can lead to memory corruption, which may compromise system integrity or cause a denial of service if exploited by an attacker with sufficient privileges.

Affected Systems

All Linux kernel deployments that include the KVM s390 PCI AIF code and are running prior to the commit that removes the erroneous sizeof multiplication. The affected kernel is the general Linux kernel, with no specific vendor or product version information provided.

Risk and Exploitability

The CVSS score is not listed in the data, and the EPSS score is not available, indicating limited public information about exploitation potential. The vulnerability is not currently listed in the CISA KEV catalog. Because the flaw requires kernel‑level access to the execution context—typically only available to privileged users or through manipulation of host configuration—it is unlikely to be widely exploitable without elevated privileges. Nonetheless, unpatched systems should be updated promptly to eliminate the risk.

Generated by OpenCVE AI on June 24, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the GAIT table indexing fix, such as the kernel containing commit 11b8ff5b93
  • Reboot the host to load the updated kernel and ensure the KVM s390 PCI AIF code is using the corrected implementation
  • If a kernel update is not immediately possible, restrict access to KVM host functionality that relies on PCI AIF or temporarily disable the affected AIF features at the configuration level, as a short‑term mitigation

Generated by OpenCVE AI on June 24, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-787

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and aen_host_forward() index the GAIT by manually multiplying the index with sizeof(struct zpci_gaite). Since aift->gait is already a struct zpci_gaite pointer, this double-scales the offset, accessing element aisb*16 instead of aisb. This causes out-of-bounds accesses when aisb >= 32 (with ZPCI_NR_DEVICES=512) Fix by removing the erroneous sizeof multiplication.
Title KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:28:47.438Z

Reserved: 2026-06-09T07:44:35.375Z

Link: CVE-2026-52968

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T18:30:06Z

Weaknesses