{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31464","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.097Z","datePublished":"2026-04-22T13:53:54.970Z","dateUpdated":"2026-05-11T22:09:14.078Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:09:14.078Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()\n\nA malicious or compromised VIO server can return a num_written value in the\ndiscover targets MAD response that exceeds max_targets. This value is\nstored directly in vhost->num_targets without validation, and is then used\nas the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which\nis only allocated for max_targets entries. Indices at or beyond max_targets\naccess kernel memory outside the DMA-coherent allocation.  The\nout-of-bounds data is subsequently embedded in Implicit Logout and PLOGI\nMADs that are sent back to the VIO server, leaking kernel memory.\n\nFix by clamping num_written to max_targets before storing it."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","baseScore":8.1,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/scsi/ibmvscsi/ibmvfc.c"],"versions":[{"version":"072b91f9c6510d0ec4a49d07dbc318760c7da7b3","lessThan":"d842348f8a00d5b1d7358f207eb34ffcf5b16df3","status":"affected","versionType":"git"},{"version":"072b91f9c6510d0ec4a49d07dbc318760c7da7b3","lessThan":"a007246cb6c9ebdc93dafbf63cc2d43d98f402cc","status":"affected","versionType":"git"},{"version":"072b91f9c6510d0ec4a49d07dbc318760c7da7b3","lessThan":"394a1cac3c12fdd7d77f19ccfd222ab5ff87ef89","status":"affected","versionType":"git"},{"version":"072b91f9c6510d0ec4a49d07dbc318760c7da7b3","lessThan":"4ed727e35b0ab17d3eeeb1e8023768396e2be161","status":"affected","versionType":"git"},{"version":"072b91f9c6510d0ec4a49d07dbc318760c7da7b3","lessThan":"d1466bf991b2343cf2ba8336e440c8faf3cbb780","status":"affected","versionType":"git"},{"version":"072b91f9c6510d0ec4a49d07dbc318760c7da7b3","lessThan":"786f10b1966e485046839f992e89f2c18cbd1983","status":"affected","versionType":"git"},{"version":"072b91f9c6510d0ec4a49d07dbc318760c7da7b3","lessThan":"bae4df0a643fa7f84663473aa3082a9c2ed139db","status":"affected","versionType":"git"},{"version":"072b91f9c6510d0ec4a49d07dbc318760c7da7b3","lessThan":"61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/scsi/ibmvscsi/ibmvfc.c"],"versions":[{"version":"2.6.27","status":"affected"},{"version":"0","lessThan":"2.6.27","status":"unaffected","versionType":"semver"},{"version":"5.10.253","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.203","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.168","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.131","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.80","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.21","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.11","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"5.10.253"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"5.15.203"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"6.1.168"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"6.6.131"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"6.12.80"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"6.18.21"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"6.19.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/d842348f8a00d5b1d7358f207eb34ffcf5b16df3"},{"url":"https://git.kernel.org/stable/c/a007246cb6c9ebdc93dafbf63cc2d43d98f402cc"},{"url":"https://git.kernel.org/stable/c/394a1cac3c12fdd7d77f19ccfd222ab5ff87ef89"},{"url":"https://git.kernel.org/stable/c/4ed727e35b0ab17d3eeeb1e8023768396e2be161"},{"url":"https://git.kernel.org/stable/c/d1466bf991b2343cf2ba8336e440c8faf3cbb780"},{"url":"https://git.kernel.org/stable/c/786f10b1966e485046839f992e89f2c18cbd1983"},{"url":"https://git.kernel.org/stable/c/bae4df0a643fa7f84663473aa3082a9c2ed139db"},{"url":"https://git.kernel.org/stable/c/61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f"}],"title":"scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()","x_generator":{"engine":"bippy-1.2.0"}}}}