Skip to main content

Linux Kernel CVE-2026-46149

| EUVDEUVD-2026-32776 HIGH
Uncontrolled Recursion (CWE-674)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vvx9-xfcg-g62v
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:56 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.1 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.1
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()

target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer. snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes. The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.

Commit 27e06650a5ea ("scsi: target: target_core_configfs: Add length check to avoid buffer overflow") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.

AnalysisAI

Out-of-bounds stack read in the Linux kernel SCSI target subsystem's configfs interface allows a local privileged user to trigger a kernel panic or leak adjacent stack memory by reading the tg_pt_gp members sysfs attribute when a long iSCSI IQN fabric WWN (up to 223 bytes) is configured. The flaw stems from misusing the snprintf() return value (which reports intended length, not bytes written) as a memcpy() source length. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 5th percentile).

Technical ContextAI

The bug lives in drivers/target/target_core_configfs.c in target_tg_pt_gp_members_show(), part of the LIO SCSI target framework that exposes ALUA (Asymmetric Logical Unit Access) target port group membership through configfs/sysfs. snprintf() returns the number of bytes that would have been written had the buffer been large enough; when an iSCSI Qualified Name (IQN, RFC 3720, up to 223 bytes) plus surrounding path formatting exceeds the 256-byte stack buffer, the returned cur_len overflows the actual buffer size, and the subsequent memcpy() reads past the stack frame. CONFIG_FORTIFY_SOURCE detects the over-read and invokes fortify_panic(), turning the issue into a denial-of-service kernel oops; without fortification, adjacent stack contents leak to the sysfs reader. The class corresponds to CWE-125 (out-of-bounds read) / CWE-193 (off-by-one / incorrect length calculation), and mirrors the earlier fix in commit 27e06650a5ea for the sibling target_lu_gp_members_show() path.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3 (or any later release that includes the corresponding stable commits 1f678d13e939, 72cc5ea7ef32, 772a896a56e0, e501154f9d82, 00d91bfdce50 - all linked under https://git.kernel.org/stable/). Distribution users should pull the equivalent backport from their vendor's security stream rather than building mainline. If immediate patching is not possible, compensating controls are: unload or do not load the target_core_mod / iscsi_target_mod modules on hosts that are not acting as SCSI targets (eliminates the vulnerable code path entirely, side effect: disables any local LIO exports); tighten permissions on /sys/kernel/config/target/*/tpgt_*/np/*/lun/*/alua_tg_pt_gps/*/members so only root can read it (side effect: management tooling that runs as a non-root storage operator will break); and avoid provisioning fabric WWNs / IQNs longer than roughly 200 bytes until the patch is deployed (side effect: cosmetic naming restriction only).

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46149 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy