CVE-2026-46064

NONE EPSS 2.6%
Published May 27, 20261mo ago · Modified Jun 17, 20262w ago
Find Similar
Published May 27, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix heap over-read in ibmasm_send_i2o_message() The ibmasm_send_i2o_message() function uses get_dot_command_size() to compute the byte count for memcpy_toio(), but this value is derived from user-controlled fields in the dot_command_header (command_size: u8, data_size: u16) and is never validated against the actual allocation size. A root user can write a small buffer with inflated header fields, causing memcpy_toio() to read up to ~65 KB past the end of the allocation into adjacent kernel heap, which is then forwarded to the service processor over MMIO. Silently clamping the copy size is not sufficient: if the header fields claim a larger size than the buffer, the SP receives a dot command whose own header is inconsistent with the I2O message length, which can cause the SP to desynchronize. Reject such commands outright by returning failure. Validate command_size before calling get_mfa_inbound() to avoid leaking an I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware frame from the controller's free pool, and returning without a corresponding set_mfa_inbound() call would permanently exhaust it. Additionally, clamp command_size to I2O_COMMAND_SIZE before the memcpy_toio() so the MMIO write stays within the I2O message frame, consistent with the clamping already performed by outgoing_message_size() for the header field.

Threat Intelligence

EPSS Exploit Probability
2.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 8

  • git.kernel.org https://git.kernel.org/stable/c/9aad71144fa3682cca3837a06c8623016790e7ec
  • git.kernel.org https://git.kernel.org/stable/c/9e8f6c9d4ecddda2f28baa1678340286cff3969c
  • git.kernel.org https://git.kernel.org/stable/c/b870f652877bfbe321bd0f4096fc37a93296f7b6
  • git.kernel.org https://git.kernel.org/stable/c/c1c2417c60dbdca5ebb00462f21ee71c2d7f7083
  • git.kernel.org https://git.kernel.org/stable/c/ca1c857e2bb74a9fc0606128334f85316d57067b
  • git.kernel.org https://git.kernel.org/stable/c/ce57fa439bd1b5d664f334a0c3e3f0e42abb0153
  • git.kernel.org https://git.kernel.org/stable/c/fd19eb1c75047a4ed4e855f56cafd704dc3914e0
  • git.kernel.org https://git.kernel.org/stable/c/fe31722b0194ff76bf8b461e8bf97a2081147787

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.