Skip to main content

Linux Kernel EUVDEUVD-2026-32446

| CVE-2026-46064 HIGH
Out-of-bounds Read (CWE-125)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-4p2m-h7j8-hhxj
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
5.1 MEDIUM

Description states a root user triggers it, so PR:H not PR:L; local-only AV:L, low-complexity AC:L; C:H for heap leak, I:N, A:L for possible SP frame-pool exhaustion.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 17:23 vuln.today
CVSS changed
Jun 24, 2026 - 17:22 NVD
7.1 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.1
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ibmasm: fix heap over-read in ibmasm_send_i2o_message()

The ibmasm_send_i2o_message() function uses get_dot_command_size() to compute the byte count for memcpy_toio(), but this value is derived from user-controlled fields in the dot_command_header (command_size: u8, data_size: u16) and is never validated against the actual allocation size. A root user can write a small buffer with inflated header fields, causing memcpy_toio() to read up to ~65 KB past the end of the allocation into adjacent kernel heap, which is then forwarded to the service processor over MMIO.

Silently clamping the copy size is not sufficient: if the header fields claim a larger size than the buffer, the SP receives a dot command whose own header is inconsistent with the I2O message length, which can cause the SP to desynchronize. Reject such commands outright by returning failure.

Validate command_size before calling get_mfa_inbound() to avoid leaking an I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware frame from the controller's free pool, and returning without a corresponding set_mfa_inbound() call would permanently exhaust it.

Additionally, clamp command_size to I2O_COMMAND_SIZE before the memcpy_toio() so the MMIO write stays within the I2O message frame, consistent with the clamping already performed by outgoing_message_size() for the header field.

AnalysisAI

Out-of-bounds heap read in the Linux kernel's ibmasm driver (the IBM Advanced System Management service-processor interface) lets a local privileged user leak adjacent kernel heap memory. The ibmasm_send_i2o_message() function trusts user-controlled command_size and data_size header fields to size a memcpy_toio() without validating them against the real allocation, so a small buffer with inflated header values forces a read of up to ~65 KB past the allocation, which is then forwarded to the service processor over MMIO. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.

Technical ContextAI

The affected component is the ibmasm character-device driver, which bridges userspace to an IBM Remote Supervisor Adapter / baseboard service processor (SP) using the I2O messaging protocol over memory-mapped I/O. User-supplied 'dot command' data carries a dot_command_header containing command_size (u8) and data_size (u16); get_dot_command_size() sums these to determine how many bytes to push into the I2O message frame via memcpy_toio(). The root-cause class is CWE-125 (out-of-bounds read): the byte count is attacker-influenced and never bounds-checked against the kernel buffer that was actually allocated, so the copy source pointer runs off the end of the allocation into neighboring slab/heap objects. A secondary defect involves get_mfa_inbound() reading INBOUND_QUEUE_PORT, which dequeues a hardware frame from the SP free pool; an early return without set_mfa_inbound() would permanently exhaust that pool.

RemediationAI

Vendor-released patch: upgrade to a fixed Linux kernel build - 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 (or later) per the ENISA EUVD record - pulling the relevant stable backport (e.g., git.kernel.org/stable/c/9aad71144fa3682cca3837a06c8623016790e7ec and the sibling stable commits). The fix validates command_size before get_mfa_inbound(), rejects commands whose header is inconsistent with the I2O message length rather than silently clamping, and clamps command_size to I2O_COMMAND_SIZE before memcpy_toio(). Where immediate patching is not possible, the most effective compensating control is to not load the ibmasm module (blacklist it via /etc/modprobe.d, e.g. 'blacklist ibmasm') on systems that do not require IBM service-processor management - trade-off: this disables in-band management/alerting through the RSA/BMC interface. Because the trigger already requires root, also tighten root access and audit/restrict who can issue ioctls to the ibmasm device node. Track the stable backport at the kernel.org stable commit URLs listed in references.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-32446 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy