CVE-2026-53176 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN

In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done()
computes the login request payload length as wc->byte_len minus
ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int.
A remote iSER initiator can post a login Send work request carrying
fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows
and login_req_len becomes negative.

isert_rx_login_req() then reads that negative length back into a signed
int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the
min() is signed it keeps the negative value; the value is then passed as
the memcpy() length and sign-extended to a multi-gigabyte size_t. The
copy into the 8192-byte login->req_buf runs far out of bounds and
faults, crashing the target node. The login phase precedes iSCSI
authentication, so no credentials are required to reach this path.

Reject any login PDU shorter than ISER_HEADERS_LEN before the
subtraction, mirroring the existing early return on a failed work
completion, so login_req_len can never go negative. The upper bound was
already safe: a posted login buffer cannot deliver more than
ISER_RX_PAYLOAD_SIZE, so the difference stays at or below
MAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing
lower bound needs to be added.

Published: 2026-06-25

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises when an iSER initiator sends a login PDU that is shorter than the required 76 bytes. The kernel subtracts the header length from the reported byte count without a lower bound, producing a negative value that is subsequently used as the length for a memcpy operation. Because the length is sign-extended to a size_t, the operation attempts to copy several gigabytes into an 8192‑byte buffer, causing a memory corruption that results in a crash of the node. The flaw is exploited during the login phase, before any authentication, so no credentials are required for an attacker to reach a failing path. The impact is a loss of availability; the node becomes unresponsive after a single malicious request.

Affected Systems

This flaw affects all Linux kernel releases that include the iSER (IB/ISERT) driver without the recent patch. The vendor is Linux, and any distribution that ships the kernel with this driver is potentially exposed unless the kernel has been updated beyond the point where login PDUs shorter than ISER_HEADERS_LEN are rejected. Exact version information is not supplied, so all modern kernels that support iSCSI over RDMA are considered affected.

Risk and Exploitability

The CVSS score is not provided, and the EPSS score is unavailable, but the practical availability of the flaw is high: no authentication is required, the exploit is a simple crafted PDU, and the attack can be performed from any remote iSER session. The vulnerability is not listed in CISA’s KEV catalog, but that does not diminish the likelihood of exploitation in environments that expose the iSCSI port. Because the flaw leads directly to a crash, the operational impact is full denial of service, making it a high‑severity issue for any system that relies on the iSER driver.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`b8d26b3be8b33682cf163274ed07479a70554633`	affected	< 75ee6e4aa096aa9e7b2dd5c8ff98356e30aceefb
`b8d26b3be8b33682cf163274ed07479a70554633`	affected	< e8a013c0c3ca2f6708341a56612a3f6d6921620a
`b8d26b3be8b33682cf163274ed07479a70554633`	affected	< bd22740d7f14cb1c0289444cfd2c8d2938667c1d
`b8d26b3be8b33682cf163274ed07479a70554633`	affected	< c1234229399f4af12c553b1b0ffd978eeba65548
`b8d26b3be8b33682cf163274ed07479a70554633`	affected	< c5584e089b5af7b3bf8bd5e8ca0560cbf32b0a47
`b8d26b3be8b33682cf163274ed07479a70554633`	affected	< df422fd273c96c2ee5beb80fc21adc8c70c29260
`b8d26b3be8b33682cf163274ed07479a70554633`	affected	< 1ca40b243277c9e88be5e00bd3e083f71aefb93e
`b8d26b3be8b33682cf163274ed07479a70554633`	affected	< 29e7b925ae6df64894e82ab6419994dc25580a8a

Linux

affected

Version	Status	Constraints
`3.10`	affected	—
`0`	unaffected	< 3.10
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that enforces a lower bound check on login PDU lengths before performing the subtraction; this is the official fix for the issue.
If patching is not immediately possible, block or drop iSCSI traffic on the RDMA channel from untrusted clients, effectively preventing malicious PDUs from reaching the driver.
Consider disabling the iSCSI over RDMA interface on systems where it is not required, or limit its use to a segregated network segment with strict access controls.

Generated by OpenCVE AI on June 25, 2026 at 11:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1ca40b243277c9e88be5e00bd3e083f71aefb93e
https://git.kernel.org/stable/c/29e7b925ae6df64894e82ab6419994dc25580a8a
https://git.kernel.org/stable/c/75ee6e4aa096aa9e7b2dd5c8ff98356e30aceefb
https://git.kernel.org/stable/c/bd22740d7f14cb1c0289444cfd2c8d2938667c1d
https://git.kernel.org/stable/c/c1234229399f4af12c553b1b0ffd978eeba65548
https://git.kernel.org/stable/c/c5584e089b5af7b3bf8bd5e8ca0560cbf32b0a47
https://git.kernel.org/stable/c/df422fd273c96c2ee5beb80fc21adc8c70c29260
https://git.kernel.org/stable/c/e8a013c0c3ca2f6708341a56612a3f6d6921620a

History

Thu, 25 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-193

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done() computes the login request payload length as wc->byte_len minus ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int. A remote iSER initiator can post a login Send work request carrying fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows and login_req_len becomes negative. isert_rx_login_req() then reads that negative length back into a signed int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the min() is signed it keeps the negative value; the value is then passed as the memcpy() length and sign-extended to a multi-gigabyte size_t. The copy into the 8192-byte login->req_buf runs far out of bounds and faults, crashing the target node. The login phase precedes iSCSI authentication, so no credentials are required to reach this path. Reject any login PDU shorter than ISER_HEADERS_LEN before the subtraction, mirroring the existing early return on a failed work completion, so login_req_len can never go negative. The upper bound was already safe: a posted login buffer cannot deliver more than ISER_RX_PAYLOAD_SIZE, so the difference stays at or below MAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing lower bound needs to be added.
Title		IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1ca40b243277c9e88be5e00bd3e083f71aefb93e https://git.kernel.org/stable/c/29e7b925ae6df64894e82ab6419994dc25580a8a https://git.kernel.org/stable/c/75ee6e4aa096aa9e7b2dd5c8ff98356e30aceefb https://git.kernel.org/stable/c/bd22740d7f14cb1c0289444cfd2c8d2938667c1d https://git.kernel.org/stable/c/c1234229399f4af12c553b1b0ffd978eeba65548 https://git.kernel.org/stable/c/c5584e089b5af7b3bf8bd5e8ca0560cbf32b0a47 https://git.kernel.org/stable/c/df422fd273c96c2ee5beb80fc21adc8c70c29260 https://git.kernel.org/stable/c/e8a013c0c3ca2f6708341a56612a3f6d6921620a

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:38:52.693Z

Updated: 2026-06-25T08:38:52.693Z

Reserved: 2026-06-09T07:44:35.389Z

Link: CVE-2026-53176

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T11:15:10Z

Weaknesses

CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-193
Off-by-one Error

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object