Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's SCSI target configfs code, specifically in the function tg_pt_gp_members_show(). This function uses snprintf() to format LUN paths into a fixed 256-byte stack buffer. However, snprintf() returns the length the output would have had, which can be larger than the buffer size if the fabric WWN is long, because iSCSI IQN names can be up to 223 bytes.

After snprintf(), memcpy() copies cur_len bytes from the buffer, but the check only protects the destination buffer, not the source buffer. This means memcpy() can read beyond the 256-byte stack buffer and copy adjacent stack memory contents to the sysfs reader. When CONFIG_FORTIFY_SOURCE is enabled, this out-of-bounds read triggers fortify_panic(), causing a kernel panic.

The vulnerability was due to missing a length bound check in tg_pt_gp_members_show(), which was added to a similar function target_lu_gp_members_show() in a previous commit but missed here.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can cause a kernel panic due to an out-of-bounds read in the stack buffer when reading certain sysfs entries related to SCSI target LUN paths. This can lead to denial of service (DoS) by crashing the system.

Additionally, because memcpy() reads beyond the intended buffer, it may expose adjacent stack memory contents to the sysfs reader, potentially leaking sensitive kernel stack data.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by adding a length check to avoid buffer overflow in the Linux kernel's scsi target configfs code. To mitigate this vulnerability, you should update your Linux kernel to a version that includes the fix for CVE-2026-46149.

Specifically, ensure your kernel includes the commit 27e06650a5ea which adds the necessary bounds check to the target_tg_pt_gp_members_show() function.

Useful 0 Not Useful 0