Skip to main content

Linux Kernel CVE-2026-53176

| EUVDEUVD-2026-39267 CRITICAL
Numeric Range Comparison Without Minimum Check (CWE-839)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-cm56-mvx6-66qm
9.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Pre-auth path gives PR:N and the trivial undersized PDU gives AC:L, but the impact is a faulting crash only, so C:N/I:N and A:H rather than the published C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:22 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN

In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done() computes the login request payload length as wc->byte_len minus ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int. A remote iSER initiator can post a login Send work request carrying fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows and login_req_len becomes negative.

isert_rx_login_req() then reads that negative length back into a signed int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the min() is signed it keeps the negative value; the value is then passed as the memcpy() length and sign-extended to a multi-gigabyte size_t. The copy into the 8192-byte login->req_buf runs far out of bounds and faults, crashing the target node. The login phase precedes iSCSI authentication, so no credentials are required to reach this path.

Reject any login PDU shorter than ISER_HEADERS_LEN before the subtraction, mirroring the existing early return on a failed work completion, so login_req_len can never go negative. The upper bound was already safe: a posted login buffer cannot deliver more than ISER_RX_PAYLOAD_SIZE, so the difference stays at or below MAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing lower bound needs to be added.

AnalysisAI

Remote denial of service in the Linux kernel's iSER (iSCSI Extensions for RDMA) target driver (IB/isert) allows an unauthenticated attacker on the RDMA fabric to crash a storage target node by sending an undersized iSCSI login PDU. The isert_login_recv_done() handler subtracts the 76-byte ISER_HEADERS_LEN from the received byte count without a lower bound, producing a negative signed login_req_len that is later sign-extended into a multi-gigabyte memcpy() length, causing a faulting out-of-bounds copy. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain access to RDMA/RoCE fabric of iSER target
Delivery
Post login Send WR under 76 bytes
Exploit
Underflow login_req_len to negative
Execution
Sign-extend to multi-GB memcpy length
Persist
Out-of-bounds copy faults
Impact
Crash target node (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires the target host to be running as a Linux iSER target - i.e., the kernel must be built with InfiniBand iSER target support (ib_isert) and configured to serve iSCSI over RDMA - and the attacker must have layer-2/RDMA reachability to the target's iSER login endpoint over an InfiniBand or RoCE fabric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict and must be read carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to the InfiniBand/RoCE fabric serving a Linux iSER iSCSI target posts a malformed login Send work request carrying fewer than 76 bytes. The undersized PDU underflows login_req_len to a negative value that is sign-extended into a gigabyte-scale memcpy() length, driving an out-of-bounds copy that faults and crashes the target node before any authentication occurs. …
Remediation Patch available per vendor advisory: upgrade to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, or 6.18.36 (or the corresponding fix commit such as 1ca40b243277c9e88be5e00bd3e083f71aefb93e), which add an early return rejecting any login PDU shorter than ISER_HEADERS_LEN before the subtraction so login_req_len can never go negative. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Linux systems running iSER target driver (check 'cat /proc/cmdline | grep CONFIG_INFINIBAND_ISER' and iSCSI target service status). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53176 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy