CVE-2026-31464
Analyzed Analyzed - Analysis Complete
Out-of-Bounds Access in Linux ibmvfc Causes Kernel Memory Leak

Publication date: 2026-04-22

Last updated on: 2026-05-07

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() A malicious or compromised VIO server can return a num_written value in the discover targets MAD response that exceeds max_targets. This value is stored directly in vhost->num_targets without validation, and is then used as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which is only allocated for max_targets entries. Indices at or beyond max_targets access kernel memory outside the DMA-coherent allocation. The out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI MADs that are sent back to the VIO server, leaking kernel memory. Fix by clamping num_written to max_targets before storing it.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31464
EUVD
EUVD-2026-24807
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.131 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.80 (exc)
linux linux_kernel From 2.6.27 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's scsi: ibmvfc driver. A malicious or compromised VIO server can send a discover targets MAD response with a num_written value that exceeds the maximum allowed targets (max_targets). This value is stored without validation and used as a loop bound to index into an array (disc_buf[]) that is only allocated for max_targets entries. As a result, the code accesses memory outside the allocated buffer (out-of-bounds access). This out-of-bounds data is then embedded in messages sent back to the VIO server, causing leakage of kernel memory.

The vulnerability is fixed by clamping the num_written value to max_targets before storing it, preventing out-of-bounds access.

Impact Analysis

This vulnerability can lead to leakage of kernel memory to a malicious or compromised VIO server. Such leakage may expose sensitive information stored in kernel memory, potentially aiding attackers in further compromising the system or gaining unauthorized access.

Mitigation Strategies

The vulnerability is fixed by clamping the num_written value to max_targets before storing it in the Linux kernel's ibmvfc driver. To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31464. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart