Executive Summary

This vulnerability exists in the Linux kernel's scsi mpt3sas driver, which handles NVMe requests. The driver allocates a fixed 4K buffer for the PRP list, supporting a maximum of 512 entries, which limits the maximum I/O transfer size to 2 MiB. However, the HBA firmware reports NVMe MDTS values based on the underlying drive capability, which can be larger. Because the driver does not initially limit the request size to 2 MiB, it could issue oversized I/O requests that exceed the driver's buffer capacity.

The vulnerability was resolved by limiting the maximum hardware sectors (max_hw_sectors) to the smaller value between the reported MDTS and the 2 MiB driver limit. This prevents the driver from issuing I/O requests larger than it can safely handle, avoiding potential kernel crashes (kernel oops).

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability can cause the Linux kernel to crash (kernel oops) due to the driver issuing oversized I/O requests that exceed its buffer capacity. This can lead to system instability, potential data loss, or denial of service as the kernel may become unresponsive or reboot unexpectedly.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, ensure that your Linux kernel includes the fix that limits the NVMe request size to 2 MiB in the mpt3sas driver.

This fix involves limiting max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may cause a kernel oops.

Therefore, updating your Linux kernel to a version released after 2026-05-28 that contains this patch is the recommended immediate step.

Useful 0 Not Useful 0