In the Linux kernel, the following vulnerability has been resolved:
ibmasm: fix heap over-read in ibmasmsendi2o_message()
The ibmasmsendi2omessage() function uses getdotcommandsize() to compute the byte count for memcpytoio(), but this value is derived from user-controlled fields in the dotcommandheader (commandsize: u8, datasize: u16) and is never validated against the actual allocation size. A root user can write a small buffer with inflated header fields, causing memcpytoio() to read up to ~65 KB past the end of the allocation into adjacent kernel heap, which is then forwarded to the service processor over MMIO.
Silently clamping the copy size is not sufficient: if the header fields claim a larger size than the buffer, the SP receives a dot command whose own header is inconsistent with the I2O message length, which can cause the SP to desynchronize. Reject such commands outright by returning failure.
Validate commandsize before calling getmfainbound() to avoid leaking an I2O message frame: reading INBOUNDQUEUEPORT dequeues a hardware frame from the controller's free pool, and returning without a corresponding setmfa_inbound() call would permanently exhaust it.
Additionally, clamp commandsize to I2OCOMMANDSIZE before the memcpytoio() so the MMIO write stays within the I2O message frame, consistent with the clamping already performed by outgoingmessagesize() for the header field.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46064.json"
}