Skip to main content

Linux Kernel EUVDEUVD-2026-32864

| CVE-2026-46105 HIGH
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vf7g-hg9j-7w2w
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:47 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

scsi: mpt3sas: Limit NVMe request size to 2 MiB

The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB.

Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.

AnalysisAI

Local denial of service in the Linux kernel's mpt3sas SCSI driver allows a privileged local user to trigger a kernel oops by issuing oversized NVMe I/O operations against drives behind Broadcom/LSI MPT3 SAS HBAs. The flaw stems from a size mismatch between firmware-reported MDTS values and the driver's fixed 4K PRP list buffer, and no public exploit identified at time of analysis. EPSS is very low (0.02%, 4th percentile), consistent with a kernel reliability bug requiring local privileged access rather than a remote attack surface.

Technical ContextAI

The mpt3sas driver in the Linux kernel supports Broadcom (formerly LSI/Avago) Fusion-MPT 12Gb/s and 24Gb/s SAS Host Bus Adapters that can present NVMe devices behind the controller. NVMe transfers use Physical Region Page (PRP) lists to describe scatter-gather memory regions, and the HBA firmware exposes the drive's Maximum Data Transfer Size (MDTS) so the kernel can size requests appropriately. The driver, however, statically allocates a 4 KiB PRP list buffer holding at most 512 entries, capping practical transfers at 2 MiB; when firmware reports an MDTS larger than this, the SCSI midlayer can dispatch I/O exceeding the buffer's capacity, overrunning driver assumptions and producing a kernel oops. The fix clamps max_hw_sectors to the lower of the firmware MDTS and the 2 MiB driver limit. No CWE is assigned, but functionally this is an improper input validation / incorrect resource limit issue in a kernel storage driver.

RemediationAI

Vendor-released patch: upgrade to Linux 6.18.30, 7.0.7, 7.1-rc3, or any later kernel that includes the mpt3sas MDTS clamp commits (04631f55, 45dcc815, e5f98248); distribution-supplied stable kernels carrying these backports are equally valid. For environments that cannot reboot into a new kernel immediately, an effective compensating control is to administratively cap the per-request transfer size on affected SCSI devices via /sys/block/<dev>/queue/max_sectors_kb to a value at or below 2048 (2 MiB), which prevents the SCSI midlayer from issuing requests the driver cannot describe - the trade-off is reduced large-I/O throughput for workloads that previously benefited from larger transfers. Where mpt3sas-attached NVMe is not actually in use, unloading the driver eliminates exposure but will detach any storage it manages, so it is only appropriate on hosts without such hardware. Reference patches: https://git.kernel.org/stable/c/04631f55afc543d5431a2bdee7f6cc0f2c0debe7 and https://git.kernel.org/stable/c/e5f9824817c6358b9f9738bdb92dec9e4e794d3c.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32864 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy