Description
In the Linux kernel, the following vulnerability has been resolved:

IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN

In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done()
computes the login request payload length as wc->byte_len minus
ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int.
A remote iSER initiator can post a login Send work request carrying
fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows
and login_req_len becomes negative.

isert_rx_login_req() then reads that negative length back into a signed
int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the
min() is signed it keeps the negative value; the value is then passed as
the memcpy() length and sign-extended to a multi-gigabyte size_t. The
copy into the 8192-byte login->req_buf runs far out of bounds and
faults, crashing the target node. The login phase precedes iSCSI
authentication, so no credentials are required to reach this path.

Reject any login PDU shorter than ISER_HEADERS_LEN before the
subtraction, mirroring the existing early return on a failed work
completion, so login_req_len can never go negative. The upper bound was
already safe: a posted login buffer cannot deliver more than
ISER_RX_PAYLOAD_SIZE, so the difference stays at or below
MAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing
lower bound needs to be added.
Published: 2026-06-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when an iSER initiator sends a login PDU that is shorter than the required 76 bytes. The kernel subtracts the header length from the reported byte count without a lower bound, producing a negative value that is subsequently used as the length for a memcpy operation. Because the length is sign-extended to a size_t, the operation attempts to copy several gigabytes into an 8192‑byte buffer, causing a memory corruption that results in a crash of the node. The flaw is exploited during the login phase, before any authentication, so no credentials are required path. The impact is a loss of availability; the node becomes unresponsive after a single malicious request.

Affected Systems

This flaw affects all Linux kernel releases that include the iSER (IB/ISERT) driver without the recent patch. The vendor is Linux, and any distribution that ships the kernel with this driver is potentially exposed unless the kernel has been updated beyond the point where login PDUs shorter than ISER_HEADERS_LEN are rejected. Exact supplied, so all modern kernels that support iSCSI over RDMA are considered affected.

Risk and Exploitability

The CVSS score is 9.8, but the EPSS score of <1% indicates a very low exploitation probability. Nevertheless, the practical availability of the flaw is high: no authentication is required, the exploit is a simple crafted PDU, and the attack can be performed from any remote iSER session. The vulnerability is not listed in CISA’s KEV catalog, but that does not diminish the likelihood of exploitation in environments that expose the iSCSI port. Because the flaw leads directly to a crash, the operational impact is a full denial of service, making it a high‑severity issue for any system that relies on the iSER driver.

Generated by OpenCVE AI on June 28, 2026 at 14:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that enforces a lower bound check on login PDU lengths before performing the subtraction; this is the official fix for the issue possible, block or drop iSCSI traffic on the RDMA channel from untrusted clients, effectively preventing malicious PDUs from reaching the driver.
  • Consider disabling the iSCSI over RDMA interface on systems where it is not required, or limit its use to a segregated network segment with strict access controls.
  • Implement firewall rules to block incoming iSCSI RDMA traffic from untrusted sources until the kernel patch is applied.

Generated by OpenCVE AI on June 28, 2026 at 14:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-193

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-839
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Thu, 25 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-193

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done() computes the login request payload length as wc->byte_len minus ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int. A remote iSER initiator can post a login Send work request carrying fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows and login_req_len becomes negative. isert_rx_login_req() then reads that negative length back into a signed int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the min() is signed it keeps the negative value; the value is then passed as the memcpy() length and sign-extended to a multi-gigabyte size_t. The copy into the 8192-byte login->req_buf runs far out of bounds and faults, crashing the target node. The login phase precedes iSCSI authentication, so no credentials are required to reach this path. Reject any login PDU shorter than ISER_HEADERS_LEN before the subtraction, mirroring the existing early return on a failed work completion, so login_req_len can never go negative. The upper bound was already safe: a posted login buffer cannot deliver more than ISER_RX_PAYLOAD_SIZE, so the difference stays at or below MAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing lower bound needs to be added.
Title IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-15T00:44:41.443Z

Reserved: 2026-06-09T07:44:35.389Z

Link: CVE-2026-53176

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53176 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T15:00:12Z

Weaknesses
  • CWE-839

    Numeric Range Comparison Without Minimum Check