CVE-2026-31464
- Source
- https://cve.org/CVERecord?id=CVE-2026-31464
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31464.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-31464
- Downstream
- Related
- Published
- 2026-04-22T13:53:54.970Z
- Modified
- 2026-06-24T09:14:03.936257915Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
- Summary
- scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
scsi: ibmvfc: Fix OOB access in ibmvfcdiscovertargets_done()
A malicious or compromised VIO server can return a numwritten value in the discover targets MAD response that exceeds maxtargets. This value is stored directly in vhost->numtargets without validation, and is then used as the loop bound in ibmvfcalloctargets() to index into discbuf[], which is only allocated for maxtargets entries. Indices at or beyond maxtargets access kernel memory outside the DMA-coherent allocation. The out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI MADs that are sent back to the VIO server, leaking kernel memory.
Fix by clamping numwritten to maxtargets before storing it.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31464.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/394a1cac3c12fdd7d77f19ccfd222ab5ff87ef89
- https://git.kernel.org/stable/c/4ed727e35b0ab17d3eeeb1e8023768396e2be161
- https://git.kernel.org/stable/c/61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f
- https://git.kernel.org/stable/c/786f10b1966e485046839f992e89f2c18cbd1983
- https://git.kernel.org/stable/c/a007246cb6c9ebdc93dafbf63cc2d43d98f402cc
- https://git.kernel.org/stable/c/bae4df0a643fa7f84663473aa3082a9c2ed139db
- https://git.kernel.org/stable/c/d1466bf991b2343cf2ba8336e440c8faf3cbb780
- https://git.kernel.org/stable/c/d842348f8a00d5b1d7358f207eb34ffcf5b16df3
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31464.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-31464
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced072b91f9c6510d0ec4a49d07dbc318760c7da7b3Fixedd842348f8a00d5b1d7358f207eb34ffcf5b16df3Fixeda007246cb6c9ebdc93dafbf63cc2d43d98f402ccFixed394a1cac3c12fdd7d77f19ccfd222ab5ff87ef89Fixed4ed727e35b0ab17d3eeeb1e8023768396e2be161Fixedd1466bf991b2343cf2ba8336e440c8faf3cbb780Fixed786f10b1966e485046839f992e89f2c18cbd1983Fixedbae4df0a643fa7f84663473aa3082a9c2ed139dbFixed61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced2.6.27Fixed5.10.253
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.203
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.168
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.131
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.80
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.21
- Type
- ECOSYSTEM
- Events
-
Introduced6.19.0Fixed6.19.11