Skip to main content

Linux Kernel CVE-2026-46022

| EUVDEUVD-2026-32403 HIGH
Out-of-bounds Read (CWE-125)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-cpgx-54rr-4jm6
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
5.1 MEDIUM

Requires prior compromise of the service processor (PR:H, local MMIO path AV:L); only 8 bytes of adjacent MMIO leak so C:L, but machine check crash justifies A:H.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 16:07 vuln.today
CVSS changed
Jun 16, 2026 - 16:07 NVD
7.1 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.1
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()

ibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read when the queue reader or writer index from hardware exceeds REMOTE_QUEUE_SIZE (60).

A compromised service processor can trigger this by writing an out-of-range value to the reader or writer MMIO register before asserting an interrupt. Since writer is re-read from hardware on every loop iteration, it can also be set to an out-of-range value after the loop has already started.

The root cause is that get_queue_reader() and get_queue_writer() return raw readl() values that are passed directly into get_queue_entry(), which computes:

queue_begin + reader * sizeof(struct remote_input)

with no bounds check. This unchecked MMIO address is then passed to memcpy_fromio(), reading 8 bytes from unintended device registers. For sufficiently large values the address falls outside the PCI BAR mapping entirely, triggering a machine check exception.

Fix by checking both indices against REMOTE_QUEUE_SIZE at the top of the loop body, before any call to get_queue_entry(). On an out-of-range value, reset the reader register to 0 via set_queue_reader() before breaking, so that normal queue operation can resume if the corrupted hardware state is transient.

AnalysisAI

Out-of-bounds MMIO read in the Linux kernel's ibmasm (IBM Advanced System Management) misc driver allows a compromised IBM service processor to read 8 bytes from unintended device registers or trigger a machine check exception (system crash) by writing an out-of-range queue reader/writer index before asserting an interrupt. The flaw resides in ibmasm_handle_mouse_interrupt() where raw readl() values are passed unchecked to get_queue_entry(), and is fixed by bounds-checking both indices against REMOTE_QUEUE_SIZE (60). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%.

Technical ContextAI

The vulnerability affects the Linux kernel ibmasm misc driver (drivers/misc/ibmasm), which provides communication with the IBM Advanced System Management service processor on legacy IBM xSeries servers via a PCI BAR-mapped remote input queue. The root cause is a CWE-125 out-of-bounds read: get_queue_reader() and get_queue_writer() return raw readl() values from hardware MMIO registers, which are then fed into get_queue_entry() to compute 'queue_begin + reader * sizeof(struct remote_input)'. Because REMOTE_QUEUE_SIZE is 60 and no bounds validation occurs, a sufficiently large index drives the resulting address outside the PCI BAR mapping, and memcpy_fromio() either leaks 8 bytes from adjacent device registers or generates a machine check exception. The trust boundary crossed here is between the host kernel and the service processor firmware, which the kernel normally implicitly trusts.

RemediationAI

Vendor-released patches are available: upgrade to Linux kernel 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 or later depending on your stable branch, referencing the stable commits at https://git.kernel.org/stable/c/07c4f18b303106e6b24492c12b95d48a4b985841 and the sibling backports listed in the NVD references. As a workaround on systems that do not require IBM ASM functionality, unload and blacklist the ibmasm module (e.g. add 'blacklist ibmasm' to /etc/modprobe.d/) to eliminate the attack surface entirely; the trade-off is loss of service-processor mouse/keyboard/event integration on legacy IBM xSeries hardware. Where the driver is required, restrict and harden the service processor's management network and credentials so its firmware cannot be compromised in the first place.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46022 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy