Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local access with low privileges required to issue SCSI UNMAP commands; impact is kernel crash only, no confidentiality or integrity loss.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: core: Fix integer overflow in UNMAP bounds check
sbc_execute_unmap() checks LBA + range does not exceed the device capacity, but does not guard against LBA + range wrapping around on 64-bit overflow.
Add an overflow check matching the pattern already used for WRITE_SAME in the same file.
AnalysisAI
Integer overflow in the Linux kernel SCSI target core allows a local attacker with low privileges to crash the kernel via crafted UNMAP commands. The sbc_execute_unmap() function performs a capacity bounds check on LBA + range but fails to guard against 64-bit wraparound, meaning an attacker can supply values that overflow to bypass the check and trigger a kernel panic. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Linux SCSI target subsystem must be active on the system - specifically, the kernel must be configured and running as an iSCSI target, LIO target, or equivalent SCSI target daemon (e.g., targetcli/rtslib). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, score 5.5) accurately characterizes this as a local, low-complexity denial-of-service with no privilege escalation or data exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with standard user credentials on a Linux system acting as an iSCSI or LIO SCSI target submits a crafted UNMAP command in which the LBA and range fields are chosen so their 64-bit sum overflows to a small value, bypassing the device capacity bounds check in `sbc_execute_unmap()`. The kernel proceeds with an out-of-bounds operation, triggering a kernel panic and bringing down the entire system. … |
| Remediation | The primary fix is to upgrade the Linux kernel to one of the patched stable releases: 5.10.258+, 5.15.209+, 6.1.175+, 6.6.141+, 6.12.91+, 6.18.33+, 7.0.10+, or 7.1+. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38889
GHSA-mw2m-v92w-q9ww