CVE-2026-31464

HIGH EPSS 19.1%
Published Apr 22, 20262mo ago · Modified Jun 17, 20262w ago
8.1 CVSS 3.1
High
Find Similar
Published Apr 22, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() A malicious or compromised VIO server can return a num_written value in the discover targets MAD response that exceeds max_targets. This value is stored directly in vhost->num_targets without validation, and is then used as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which is only allocated for max_targets entries. Indices at or beyond max_targets access kernel memory outside the DMA-coherent allocation. The out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI MADs that are sent back to the VIO server, leaking kernel memory. Fix by clamping num_written to max_targets before storing it.

CVSS Details

Base Score
8.1
Exploitability
2.8
Impact
5.2
Vector string
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector Adjacent
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
19.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 12

VendorProductVersionRange
linuxlinux_kernel*≥2.6.27  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.168
linuxlinux_kernel*≥6.2  –  <6.6.131
linuxlinux_kernel*≥6.7  –  <6.12.80
linuxlinux_kernel*≥6.13  –  <6.18.21
linuxlinux_kernel*≥6.19  –  <6.19.11
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/394a1cac3c12fdd7d77f19ccfd222ab5ff87ef89
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4ed727e35b0ab17d3eeeb1e8023768396e2be161
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/786f10b1966e485046839f992e89f2c18cbd1983
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a007246cb6c9ebdc93dafbf63cc2d43d98f402cc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/bae4df0a643fa7f84663473aa3082a9c2ed139db
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d1466bf991b2343cf2ba8336e440c8faf3cbb780
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d842348f8a00d5b1d7358f207eb34ffcf5b16df3
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/394a1cac3c12fdd7d77f19ccfd222ab5ff87ef89
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4ed727e35b0ab17d3eeeb1e8023768396e2be161
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/786f10b1966e485046839f992e89f2c18cbd1983
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a007246cb6c9ebdc93dafbf63cc2d43d98f402cc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/bae4df0a643fa7f84663473aa3082a9c2ed139db
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d1466bf991b2343cf2ba8336e440c8faf3cbb780
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d842348f8a00d5b1d7358f207eb34ffcf5b16df3
    Patch