{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-46022","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.092Z","datePublished":"2026-05-27T12:56:26.791Z","dateUpdated":"2026-06-14T17:48:35.855Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-14T17:48:35.855Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()\n\nibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read\nwhen the queue reader or writer index from hardware exceeds\nREMOTE_QUEUE_SIZE (60).\n\nA compromised service processor can trigger this by writing an\nout-of-range value to the reader or writer MMIO register before\nasserting an interrupt. Since writer is re-read from hardware on\nevery loop iteration, it can also be set to an out-of-range value\nafter the loop has already started.\n\nThe root cause is that get_queue_reader() and get_queue_writer() return\nraw readl() values that are passed directly into get_queue_entry(),\nwhich computes:\n\n  queue_begin + reader * sizeof(struct remote_input)\n\nwith no bounds check. This unchecked MMIO address is then passed to\nmemcpy_fromio(), reading 8 bytes from unintended device registers.\nFor sufficiently large values the address falls outside the PCI BAR\nmapping entirely, triggering a machine check exception.\n\nFix by checking both indices against REMOTE_QUEUE_SIZE at the top of\nthe loop body, before any call to get_queue_entry(). On an out-of-range\nvalue, reset the reader register to 0 via set_queue_reader() before\nbreaking, so that normal queue operation can resume if the corrupted\nhardware state is transient."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/misc/ibmasm/remote.c"],"versions":[{"version":"278d72ae8803ffcd16070c95fe1d53f4466dc741","lessThan":"6f6ecc9153df176e956d0664b56f93080b0a45f0","status":"affected","versionType":"git"},{"version":"278d72ae8803ffcd16070c95fe1d53f4466dc741","lessThan":"bac8643486f854dd53af9b23aea7dbbd9b7c1865","status":"affected","versionType":"git"},{"version":"278d72ae8803ffcd16070c95fe1d53f4466dc741","lessThan":"f7e5b4eefd7be3e09f8bd5fee63ed478fd7446ab","status":"affected","versionType":"git"},{"version":"278d72ae8803ffcd16070c95fe1d53f4466dc741","lessThan":"fc7e9a74e32299d7e93e178ca482a0b59ef1595b","status":"affected","versionType":"git"},{"version":"278d72ae8803ffcd16070c95fe1d53f4466dc741","lessThan":"07c4f18b303106e6b24492c12b95d48a4b985841","status":"affected","versionType":"git"},{"version":"278d72ae8803ffcd16070c95fe1d53f4466dc741","lessThan":"22a16d3eafee92a165c756081587c95850127107","status":"affected","versionType":"git"},{"version":"278d72ae8803ffcd16070c95fe1d53f4466dc741","lessThan":"1ca75f6b74ec7f685464e5745ecfcf3a76d284e9","status":"affected","versionType":"git"},{"version":"278d72ae8803ffcd16070c95fe1d53f4466dc741","lessThan":"4b6e6ead556734bdc14024c5f837132b1e7a4b84","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/misc/ibmasm/remote.c"],"versions":[{"version":"2.6.13","status":"affected"},{"version":"0","lessThan":"2.6.13","status":"unaffected","versionType":"semver"},{"version":"5.10.258","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.27","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.13","versionEndExcluding":"5.10.258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.13","versionEndExcluding":"5.15.209"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.13","versionEndExcluding":"6.1.175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.13","versionEndExcluding":"6.6.140"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.13","versionEndExcluding":"6.12.86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.13","versionEndExcluding":"6.18.27"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.13","versionEndExcluding":"7.0.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.13","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6f6ecc9153df176e956d0664b56f93080b0a45f0"},{"url":"https://git.kernel.org/stable/c/bac8643486f854dd53af9b23aea7dbbd9b7c1865"},{"url":"https://git.kernel.org/stable/c/f7e5b4eefd7be3e09f8bd5fee63ed478fd7446ab"},{"url":"https://git.kernel.org/stable/c/fc7e9a74e32299d7e93e178ca482a0b59ef1595b"},{"url":"https://git.kernel.org/stable/c/07c4f18b303106e6b24492c12b95d48a4b985841"},{"url":"https://git.kernel.org/stable/c/22a16d3eafee92a165c756081587c95850127107"},{"url":"https://git.kernel.org/stable/c/1ca75f6b74ec7f685464e5745ecfcf3a76d284e9"},{"url":"https://git.kernel.org/stable/c/4b6e6ead556734bdc14024c5f837132b1e7a4b84"}],"title":"misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()","x_generator":{"engine":"bippy-1.2.0"}}}}