Skip to main content

Linux Kernel EUVDEUVD-2026-26654

| CVE-2026-43055 HIGH
2026-05-01 Linux
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:39 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.5 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26654
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

scsi: target: file: Use kzalloc_flex for aio_cmd

The target_core_file doesn't initialize the aio_cmd->iocb for the ki_write_stream. When a write command fd_execute_rw_aio() is executed, we may get a bogus ki_write_stream value, causing unintended write failure status when checking iocb->ki_write_stream > max_write_streams in the block device.

Let's just use kzalloc_flex when allocating the aio_cmd and let ki_write_stream=0 to fix this issue.

AnalysisAI

Uninitialized memory in the Linux kernel SCSI target subsystem (target_core_file) causes write operations to fail unpredictably when bogus ki_write_stream values trigger block device validation checks. Affected versions span Linux kernel 6.16 through development branches, with stable patches released for 6.18.22, 6.19.12, and 7.0. While CVSS scores this as 7.5 High with network vector (AV:N), the description indicates a local kernel subsystem issue affecting SCSI target configurations, suggesting a vector/impact mismatch. EPSS probability is very low (0.02%, 4th percentile) with no evidence of active exploitation or public POC, indicating minimal real-world targeting despite the high CVSS score.

Technical ContextAI

This vulnerability resides in the Linux kernel's SCSI target subsystem, specifically in drivers/target/target_core_file.c which implements file-backed LUN storage for iSCSI and other SCSI target protocols. The fd_execute_rw_aio() function allocates an aio_cmd structure containing an io_kiocb (kernel I/O control block) but fails to zero-initialize the ki_write_stream field. This field specifies write stream hints for multi-stream capable block devices as defined in the NVMe specification. When uninitialized stack or heap memory contains garbage values in ki_write_stream, block layer validation (checking ki_write_stream against the device's max_write_streams limit) can reject legitimate writes. The root cause is improper resource initialization (similar to CWE-665), where allocated memory isn't fully initialized before use. The fix migrates from standard kmalloc to kzalloc_flex (zero-initializing flexible array allocation), ensuring ki_write_stream defaults to zero. This affects systems using Linux as a storage target (SAN head units, iSCSI targets) rather than typical end-user deployments.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.22, 6.19.12, 7.0, or later stable releases incorporating upstream commits ce54802fe6bb78eb0feffc66fed6a45d41ffc3ab, 4eaff1728d0e69b95933412241bbccf4f797dba8, or 01f784fc9d0ab2a6dac45ee443620e517cb2a19b from https://git.kernel.org/stable/. Organizations unable to upgrade immediately can disable the target_core_file module (modprobe -r target_core_file) if file-backed LUNs are not required, switching to block-device-backed LUNs (target_core_iblock) or RAM-disk targets (target_core_pscsi) as alternatives - note this requires reconfiguring storage target infrastructure and may impact existing initiator connections. For systems requiring file-backed targets, restrict storage network access to trusted initiators via iSCSI ACLs, Fibre Channel zoning, or network segmentation to limit exposure to potential triggering of the write failures. These mitigations reduce attack surface but do not eliminate the underlying kernel bug; patching remains the definitive solution. No service restart beyond standard kernel update procedures (reboot or live patching with kpatch/kGraft if available) is required.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26654 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy