VDB

CVE-2026-46064

CVE-2026-46064 PUBLISHED

Reported by Linux · Published May 27, 2026

In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix heap over-read in ibmasm_send_i2o_message() The ibmasm_send_i2o_message() function uses get_dot_command_size() to compute the byte count for memcpy_toio(), but this value is derived from user-controlled fields in the dot_command_header (command_size: u8, data_size: u16) and is never validated against the actual allocation size. A root user can write a small buffer with inflated header fields, causing memcpy_toio() to read up to ~65 KB past the end of the allocation into adjacent kernel heap, which is then forwarded to the service processor over MMIO. Silently clamping the copy size is not sufficient: if the header fields claim a larger size than the buffer, the SP receives a dot command whose own header is inconsistent with the I2O message length, which can cause the SP to desynchronize. Reject such commands outright by returning failure. Validate command_size before calling get_mfa_inbound() to avoid leaking an I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware frame from the controller's free pool, and returning without a corresponding set_mfa_inbound() call would permanently exhaust it. Additionally, clamp command_size to I2O_COMMAND_SIZE before the memcpy_toio() so the MMIO write stays within the I2O message frame, consistent with the clamping already performed by outgoing_message_size() for the header field.

EPSS 0.03% · 9.8th percentile

Risk Scores

EPSS Score
0.03%
9.8th percentile

Affected Products

VendorProductVersions
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
LinuxLinux2.6.12, 0, 5.10.258
LinuxLinux7.1, 6.12.86, 6.18.27
linuxlinux_kernel2.6.12, 2.6.12, 2.6.12

Timeline

  • May 27, 2026 CVE Published
  • May 28, 2026 EPSS Score
  • May 29, 2026 EPSS Score
  • May 29, 2026 Security Advisory
  • May 30, 2026 EPSS Score
  • May 31, 2026 EPSS Score
  • Jun 1, 2026 EPSS Score
  • Jun 1, 2026 CVE Updated
  • Jun 4, 2026 Coalition ESS Score
  • Jun 5, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›