Skip to main content

Linux Kernel ibmvfc EUVDEUVD-2026-24807

| CVE-2026-31464 HIGH
Out-of-bounds Read (CWE-125)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:30 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
8.1 (HIGH)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24807
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 8.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()

A malicious or compromised VIO server can return a num_written value in the discover targets MAD response that exceeds max_targets. This value is stored directly in vhost->num_targets without validation, and is then used as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which is only allocated for max_targets entries. Indices at or beyond max_targets access kernel memory outside the DMA-coherent allocation. The out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI MADs that are sent back to the VIO server, leaking kernel memory.

Fix by clamping num_written to max_targets before storing it.

AnalysisAI

Out-of-bounds memory access in Linux kernel's IBM Virtual Fibre Channel (ibmvfc) driver allows adjacent network attackers to leak kernel memory contents. A compromised or malicious VIO server can supply a crafted num_written value exceeding max_targets in discover targets MAD responses, causing unbounded indexing into disc_buf[] and embedding out-of-bounds kernel data in subsequent PLOGI and Implicit Logout MADs sent back to the attacker. Vendor patches available across all maintained kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. No public exploit code or CISA KEV listing identified at time of analysis.

Technical ContextAI

The vulnerability resides in the IBM Virtual Fibre Channel (ibmvfc) SCSI driver, which enables virtualized Fibre Channel connectivity between IBM Power Systems partitions and VIO servers. The flaw occurs in the discover targets completion handler (ibmvfc_discover_targets_done()) where Management Adapter Data (MAD) responses from the VIO server are processed. The driver allocates a DMA-coherent buffer (disc_buf[]) sized for max_targets entries, but fails to validate the num_written field received from potentially untrusted VIO servers before using it as a loop bound in ibmvfc_alloc_targets(). When num_written exceeds max_targets, array indexing accesses kernel memory beyond the allocated buffer. This out-of-bounds data is subsequently embedded in PLOGI (Port Login) and Implicit Logout MAD structures transmitted back to the VIO server, creating a kernel memory disclosure channel. The affected code path has existed since the driver's introduction in Linux 2.6.27 (commit 072b91f9c651), affecting nearly two decades of kernel releases. CPE applicability spans all Linux kernel versions from 2.6.27 through 7.0-rc variants prior to patching.

RemediationAI

Upgrade to patched kernel versions: 5.10.253+ (LTS), 5.15.203+ (LTS), 6.1.168+ (LTS), 6.6.131+ (stable), 6.12.80+ (stable), 6.18.21+ (stable), 6.19.11+ (stable), or 7.0+ (mainline). Upstream patches available at https://git.kernel.org/stable/c/a007246cb6c9ebdc93dafbf63cc2d43d98f402cc (mainline) and branch-specific commits listed in NVD references. The fix implements input validation by clamping num_written to max_targets before assignment to vhost->num_targets (vhost->num_targets = min(mad->num_written, vhost->max_targets)). For IBM Power environments unable to immediately patch, implement compensating controls: (1) Restrict VIO server access to trusted administrators only, eliminating untrusted or multi-tenant VIO deployments - this removes the threat actor capability but may conflict with cloud/shared infrastructure models; (2) Enable kernel memory poisoning (CONFIG_PAGE_POISONING=y, page_poison=1) to reduce information value of leaked memory, though this incurs 5-15% performance overhead and does not prevent disclosure; (3) Deploy network segmentation isolating VIO server management networks from untrusted zones, reducing adjacent network attack surface but not eliminating insider threats with VIO access. No configuration-based workaround exists to disable the vulnerable code path without losing ibmvfc functionality entirely. Patching remains the only complete remediation.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-24807 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy