Skip to main content

Linux Kernel CVE-2026-46177

| EUVDEUVD-2026-32804 HIGH
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-h4pv-4jh4-mxpf
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 12:01 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.5 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ipmi: Add limits to event and receive message requests

The driver would just fetch events and receive messages until the BMC said it was done. To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time.

In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things. If the attn bit gets stuck, it's a similar problem. So allow messages in between flag fetches so the driver itself doesn't get stuck.

This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data.

This has been there from the beginning of the driver. It's not a bug per-se, but it is accounting for bugs in BMCs.

AnalysisAI

Denial of service in the Linux kernel IPMI driver allows a malicious or buggy BMC (Baseboard Management Controller) to indefinitely stall the driver by never signaling completion on event/message fetches or by keeping the attention (attn) bit asserted. The CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H) score reflects pure availability impact, and the issue has existed since the IPMI driver's inception; no public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), indicating very low exploitation likelihood.

Technical ContextAI

The vulnerability is in the Linux kernel's IPMI (Intelligent Platform Management Interface) subsystem, specifically the system interface (si) driver that communicates with a BMC over hardware channels such as KCS, BT, or SMIC. IPMI is used out-of-band for server hardware management - sensor reads, power control, event logs. The driver previously contained an unbounded fetch loop: it would continually pull events and receive messages until the BMC signaled it had no more data, and it polled a hardware attention (attn) state bit to know when to re-check flags. A faulty or malicious BMC that perpetually reports 'more data available' or keeps the attn bit asserted causes the driver to spin indefinitely, starving other kernel work. The fix caps fetches at 10 per cycle and interleaves regular message processing between flag fetches so the driver cannot be wedged. The CWE is not assigned, but the underlying class is an unbounded loop / improper input validation from a peripheral device (related to CWE-835).

RemediationAI

Vendor-released patch: upgrade to Linux kernel 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3 (or later) depending on your branch, with fixes available at https://git.kernel.org/stable/c/3d37d2165df9504ea99d9e6181552dc4d2d1ab37 and the four sibling commits listed in references. For distribution kernels, apply your vendor's backported security update once published; check https://nvd.nist.gov/vuln/detail/CVE-2026-46177 for tracker links. If immediate patching is not feasible, compensating controls include unloading the ipmi_si module (modprobe -r ipmi_si) on systems that do not require in-band IPMI - trade-off: loses local sensor/event access via /dev/ipmi*, but tools using out-of-band IPMI over LAN are unaffected. Alternatively, isolate or update BMC firmware to a known-good vendor build to eliminate the root trigger, and restrict physical/network access to the BMC management interface to prevent firmware tampering.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46177 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy