CVE-2026-46064
Reported by Linux · Published May 27, 2026
In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix heap over-read in ibmasm_send_i2o_message() The ibmasm_send_i2o_message() function uses get_dot_command_size() to compute the byte count for memcpy_toio(), but this value is derived from user-controlled fields in the dot_command_header (command_size: u8, data_size: u16) and is never validated against the actual allocation size. A root user can write a small buffer with inflated header fields, causing memcpy_toio() to read up to ~65 KB past the end of the allocation into adjacent kernel heap, which is then forwarded to the service processor over MMIO. Silently clamping the copy size is not sufficient: if the header fields claim a larger size than the buffer, the SP receives a dot command whose own header is inconsistent with the I2O message length, which can cause the SP to desynchronize. Reject such commands outright by returning failure. Validate command_size before calling get_mfa_inbound() to avoid leaking an I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware frame from the controller's free pool, and returning without a corresponding set_mfa_inbound() call would permanently exhaust it. Additionally, clamp command_size to I2O_COMMAND_SIZE before the memcpy_toio() so the MMIO write stays within the I2O message frame, consistent with the clamping already performed by outgoing_message_size() for the header field.
EPSS 0.03% · 9.8th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
| Linux | Linux | 2.6.12, 0, 5.10.258 |
| Linux | Linux | 7.1, 6.12.86, 6.18.27 |
| linux | linux_kernel | 2.6.12, 2.6.12, 2.6.12 |
Timeline
- May 27, 2026 CVE Published
- May 28, 2026 EPSS Score
- May 29, 2026 EPSS Score
- May 29, 2026 Security Advisory
- May 30, 2026 EPSS Score
- May 31, 2026 EPSS Score
- Jun 1, 2026 EPSS Score
- Jun 1, 2026 CVE Updated
- Jun 4, 2026 Coalition ESS Score
- Jun 5, 2026 EPSS Score