CVE-2026-46022
Analyzed Analyzed - Analysis Complete
Out-of-Bounds MMIO Read in Linux Kernel ibmasm Driver

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt() ibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read when the queue reader or writer index from hardware exceeds REMOTE_QUEUE_SIZE (60). A compromised service processor can trigger this by writing an out-of-range value to the reader or writer MMIO register before asserting an interrupt. Since writer is re-read from hardware on every loop iteration, it can also be set to an out-of-range value after the loop has already started. The root cause is that get_queue_reader() and get_queue_writer() return raw readl() values that are passed directly into get_queue_entry(), which computes: queue_begin + reader * sizeof(struct remote_input) with no bounds check. This unchecked MMIO address is then passed to memcpy_fromio(), reading 8 bytes from unintended device registers. For sufficiently large values the address falls outside the PCI BAR mapping entirely, triggering a machine check exception. Fix by checking both indices against REMOTE_QUEUE_SIZE at the top of the loop body, before any call to get_queue_entry(). On an out-of-range value, reset the reader register to 0 via set_queue_reader() before breaking, so that normal queue operation can resume if the corrupted hardware state is transient.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46022
EUVD
EUVD-2026-32403
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.7 (inc) to 6.12.86 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.140 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.27 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
linux linux_kernel From 2.6.13 (inc) to 5.10.258 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ibmasm component, specifically in the function ibmasm_handle_mouse_interrupt(). It involves an out-of-bounds (OOB) memory-mapped I/O (MMIO) read triggered when hardware provides a queue reader or writer index that exceeds the allowed REMOTE_QUEUE_SIZE (60).

The problem arises because the function get_queue_reader() and get_queue_writer() return raw hardware values without checking if they are within valid bounds. These values are then used to calculate an address for reading data without verifying if the address is valid, leading to reading from unintended device registers or even outside the PCI BAR mapping. This can cause a machine check exception.

A compromised service processor can exploit this by writing out-of-range values to the reader or writer MMIO registers before triggering an interrupt, causing the kernel to perform these unsafe reads.

Impact Analysis

This vulnerability can lead to the Linux kernel performing out-of-bounds reads from device registers, which may cause system instability or crashes due to machine check exceptions.

If an attacker has control over the service processor, they could exploit this flaw to disrupt normal system operation or potentially cause denial of service by triggering these exceptions.

Mitigation Strategies

The vulnerability is fixed by adding bounds checks on the reader and writer indices against REMOTE_QUEUE_SIZE before accessing the queue entries.

Specifically, the fix involves resetting the reader register to 0 via set_queue_reader() if an out-of-range value is detected, allowing normal queue operation to resume if the corrupted hardware state is transient.

Therefore, the immediate mitigation step is to update the Linux kernel to a version that includes this fix for the ibmasm driver.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46022. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart