CVE-2026-31464
Published: Apr 22, 2026
Modified: May 11, 2026
CVSS v3.1
8.1
Description
In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() A malicious or compromised VIO server can return a num_written value in the discover targets MAD response that exceeds max_targets. This value is stored directly in vhost->num_targets without validation, and is then used as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which is only allocated for max_targets entries. Indices at or beyond max_targets access kernel memory outside the DMA-coherent allocation. The out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI MADs that are sent back to the VIO server, leaking kernel memory. Fix by clamping num_written to max_targets before storing it.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 - < d842348f8a00d5b1d7358f207eb34ffcf5b16df3affected 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 - < a007246cb6c9ebdc93dafbf63cc2d43d98f402ccaffected 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 - < 394a1cac3c12fdd7d77f19ccfd222ab5ff87ef89affected 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 - < 4ed727e35b0ab17d3eeeb1e8023768396e2be161affected 072b91f9c6510d0ec4a49d07dbc318760c7da7b3 - < d1466bf991b2343cf2ba8336e440c8faf3cbb780+3 more versions |
Linux | Linux | affected 2.6.27unaffected 0 - < 2.6.27unaffected 5.10.253 - <= 5.10.*unaffected 5.15.203 - <= 5.15.*unaffected 6.1.168 - <= 6.1.*+5 more versions |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now