CVE-2026-53176
Received Received - Intake
Heap Buffer Overflow in Linux Kernel iSER Login Handling

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done() computes the login request payload length as wc->byte_len minus ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int. A remote iSER initiator can post a login Send work request carrying fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows and login_req_len becomes negative. isert_rx_login_req() then reads that negative length back into a signed int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the min() is signed it keeps the negative value; the value is then passed as the memcpy() length and sign-extended to a multi-gigabyte size_t. The copy into the 8192-byte login->req_buf runs far out of bounds and faults, crashing the target node. The login phase precedes iSCSI authentication, so no credentials are required to reach this path. Reject any login PDU shorter than ISER_HEADERS_LEN before the subtraction, mirroring the existing early return on a failed work completion, so login_req_len can never go negative. The upper bound was already safe: a posted login buffer cannot deliver more than ISER_RX_PAYLOAD_SIZE, so the difference stays at or below MAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing lower bound needs to be added.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53176
EUVD
EUVD-2026-39267
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can be exploited by a remote attacker to cause a denial of service (DoS) by crashing the target Linux system.

Since the crash occurs during the login phase before authentication, an attacker does not need valid credentials to trigger it.

The impact is primarily system availability disruption, potentially affecting services relying on the affected Linux kernel's iSER driver.

Executive Summary

This vulnerability exists in the Linux kernel's iSER driver, specifically in the handling of login PDUs (Protocol Data Units) in the isert_login_recv_done() function.

The function calculates the login request payload length by subtracting a constant header length (ISER_HEADERS_LEN, 76 bytes) from the received byte length without checking if the result is negative.

A remote attacker can send a login request with fewer bytes than this header length, causing the subtraction to underflow and produce a negative length.

This negative length is then used as the size parameter in a memcpy() operation, which due to sign extension becomes a very large size_t value, leading to a buffer overflow that crashes the target system.

Because this occurs before iSCSI authentication, no credentials are needed to exploit this vulnerability.

The fix involves rejecting any login PDU shorter than the header length before performing the subtraction, preventing the length from becoming negative.

Mitigation Strategies

The vulnerability is resolved by rejecting any login PDU shorter than ISER_HEADERS_LEN (76 bytes) before processing, preventing the login_req_len from becoming negative and avoiding out-of-bounds memory access.

Immediate mitigation steps include applying the patch or update that implements this check in the Linux kernel's iSER driver (drivers/infiniband/ulp/isert/ib_isert.c).

Until the patch is applied, consider restricting or monitoring iSER login requests from untrusted or external sources to reduce exposure, as the vulnerability can be triggered without authentication.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53176. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart