DEBIAN-CVE-2026-31464
In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() A malicious or compromised VIO server can return a num_written value in the discover targets MAD response that exceeds max_targets. This value is stored directly in vhost->num_targets without validation, and is then used as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which is only allocated for max_targets entries. Indices at or beyond max_targets access kernel memory outside the DMA-coherent allocation. The out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI MADs that are sent back to the VIO server, leaking kernel memory. Fix by clamping num_written to max_targets before storing it.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:13 | linux | 6.12.43-1, 6.12.74-2, 6.12.74-1 |
| Debian:11 | linux-6.1 | 6.1.162-1, 6.1.159-1, 6.1.158-1 |
| Debian:12 | linux | 6.18.5-1, 6.1.106-3, * |
| Debian:11 | linux | 6.12.8-1, 6.12.11-1, 6.12.11-1 |
| Debian:14 | linux | 6.19, 6.19, 6.19 |
Timeline
- Apr 22, 2026 CVE Published
- May 2, 2026 CVE Updated