{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46064", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.095Z", "datePublished": "2026-05-27T12:57:30.247Z", "dateUpdated": "2026-06-14T17:51:42.521Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-06-14T17:51:42.521Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmasm: fix heap over-read in ibmasm_send_i2o_message()\n\nThe ibmasm_send_i2o_message() function uses get_dot_command_size() to\ncompute the byte count for memcpy_toio(), but this value is derived from\nuser-controlled fields in the dot_command_header (command_size: u8,\ndata_size: u16) and is never validated against the actual allocation size.\nA root user can write a small buffer with inflated header fields, causing\nmemcpy_toio() to read up to ~65 KB past the end of the allocation into\nadjacent kernel heap, which is then forwarded to the service processor\nover MMIO.\n\nSilently clamping the copy size is not sufficient: if the header fields\nclaim a larger size than the buffer, the SP receives a dot command whose\nown header is inconsistent with the I2O message length, which can cause\nthe SP to desynchronize. Reject such commands outright by returning\nfailure.\n\nValidate command_size before calling get_mfa_inbound() to avoid leaking\nan I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware\nframe from the controller's free pool, and returning without a\ncorresponding set_mfa_inbound() call would permanently exhaust it.\n\nAdditionally, clamp command_size to I2O_COMMAND_SIZE before the\nmemcpy_toio() so the MMIO write stays within the I2O message frame,\nconsistent with the clamping already performed by outgoing_message_size()\nfor the header field."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/misc/ibmasm/lowlevel.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "ca1c857e2bb74a9fc0606128334f85316d57067b", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "b870f652877bfbe321bd0f4096fc37a93296f7b6", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "ce57fa439bd1b5d664f334a0c3e3f0e42abb0153", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "fd19eb1c75047a4ed4e855f56cafd704dc3914e0", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "fe31722b0194ff76bf8b461e8bf97a2081147787", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "c1c2417c60dbdca5ebb00462f21ee71c2d7f7083", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "9e8f6c9d4ecddda2f28baa1678340286cff3969c", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "9aad71144fa3682cca3837a06c8623016790e7ec", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/misc/ibmasm/lowlevel.c"], "versions": [{"version": "2.6.12", "status": "affected"}, {"version": "0", "lessThan": "2.6.12", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.258", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.209", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.175", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.140", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.86", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.27", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.4", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "5.10.258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "5.15.209"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.1.175"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.6.140"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.12.86"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.18.27"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "7.0.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "7.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ca1c857e2bb74a9fc0606128334f85316d57067b"}, {"url": "https://git.kernel.org/stable/c/b870f652877bfbe321bd0f4096fc37a93296f7b6"}, {"url": "https://git.kernel.org/stable/c/ce57fa439bd1b5d664f334a0c3e3f0e42abb0153"}, {"url": "https://git.kernel.org/stable/c/fd19eb1c75047a4ed4e855f56cafd704dc3914e0"}, {"url": "https://git.kernel.org/stable/c/fe31722b0194ff76bf8b461e8bf97a2081147787"}, {"url": "https://git.kernel.org/stable/c/c1c2417c60dbdca5ebb00462f21ee71c2d7f7083"}, {"url": "https://git.kernel.org/stable/c/9e8f6c9d4ecddda2f28baa1678340286cff3969c"}, {"url": "https://git.kernel.org/stable/c/9aad71144fa3682cca3837a06c8623016790e7ec"}], "title": "ibmasm: fix heap over-read in ibmasm_send_i2o_message()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"affected": [{"affectedData": [{"defaultStatus": "unaffected", "product": "Linux", "programFiles": ["drivers/misc/ibmasm/lowlevel.c"], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [{"lessThan": "ca1c857e2bb74a9fc0606128334f85316d57067b", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git"}, {"lessThan": "b870f652877bfbe321bd0f4096fc37a93296f7b6", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git"}, {"lessThan": "ce57fa439bd1b5d664f334a0c3e3f0e42abb0153", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git"}, {"lessThan": "fd19eb1c75047a4ed4e855f56cafd704dc3914e0", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git"}, {"lessThan": "fe31722b0194ff76bf8b461e8bf97a2081147787", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git"}, {"lessThan": "c1c2417c60dbdca5ebb00462f21ee71c2d7f7083", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git"}, {"lessThan": "9e8f6c9d4ecddda2f28baa1678340286cff3969c", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git"}, {"lessThan": "9aad71144fa3682cca3837a06c8623016790e7ec", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git"}]}, {"defaultStatus": "affected", "product": "Linux", "programFiles": ["drivers/misc/ibmasm/lowlevel.c"], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [{"status": "affected", "version": "2.6.12"}, {"lessThan": "2.6.12", "status": "unaffected", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.258", "versionType": "semver"}, {"lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.209", "versionType": "semver"}, {"lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.175", "versionType": "semver"}, {"lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.140", "versionType": "semver"}, {"lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.86", "versionType": "semver"}, {"lessThanOrEqual": "6.18.*", "status": "unaffected", "version": "6.18.27", "versionType": "semver"}, {"lessThanOrEqual": "7.0.*", "status": "unaffected", "version": "7.0.4", "versionType": "semver"}, {"lessThanOrEqual": "*", "status": "unaffected", "version": "7.1", "versionType": "original_commit_for_fix"}]}], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmasm: fix heap over-read in ibmasm_send_i2o_message()\n\nThe ibmasm_send_i2o_message() function uses get_dot_command_size() to\ncompute the byte count for memcpy_toio(), but this value is derived from\nuser-controlled fields in the dot_command_header (command_size: u8,\ndata_size: u16) and is never validated against the actual allocation size.\nA root user can write a small buffer with inflated header fields, causing\nmemcpy_toio() to read up to ~65 KB past the end of the allocation into\nadjacent kernel heap, which is then forwarded to the service processor\nover MMIO.\n\nSilently clamping the copy size is not sufficient: if the header fields\nclaim a larger size than the buffer, the SP receives a dot command whose\nown header is inconsistent with the I2O message length, which can cause\nthe SP to desynchronize. Reject such commands outright by returning\nfailure.\n\nValidate command_size before calling get_mfa_inbound() to avoid leaking\nan I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware\nframe from the controller's free pool, and returning without a\ncorresponding set_mfa_inbound() call would permanently exhaust it.\n\nAdditionally, clamp command_size to I2O_COMMAND_SIZE before the\nmemcpy_toio() so the MMIO write stays within the I2O message frame,\nconsistent with the clamping already performed by outgoing_message_size()\nfor the header field."}], "id": "CVE-2026-46064", "lastModified": "2026-06-17T10:53:00.497", "metrics": {}, "published": "2026-05-27T14:17:26.867", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9aad71144fa3682cca3837a06c8623016790e7ec"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9e8f6c9d4ecddda2f28baa1678340286cff3969c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b870f652877bfbe321bd0f4096fc37a93296f7b6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c1c2417c60dbdca5ebb00462f21ee71c2d7f7083"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ca1c857e2bb74a9fc0606128334f85316d57067b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ce57fa439bd1b5d664f334a0c3e3f0e42abb0153"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fd19eb1c75047a4ed4e855f56cafd704dc3914e0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fe31722b0194ff76bf8b461e8bf97a2081147787"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: ibmasm: fix heap over-read in ibmasm_send_i2o_message()", "id": "2482190", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482190"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["A flaw was found in the Linux kernel's ibmasm module. A local root user can exploit a heap over-read vulnerability within the `ibmasm_send_i2o_message()` function. This vulnerability arises from insufficient validation of user-controlled input sizes, allowing the system to read beyond allocated memory. Such an exploit could lead to the disclosure of sensitive kernel heap information and potentially cause the service processor to desynchronize, impacting overall system stability."], "name": "CVE-2026-46064", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-05-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-46064\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-46064\nhttps://lore.kernel.org/linux-cve-announce/2026052756-CVE-2026-46064-ba4f@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,fd19eb1c75047a4ed4e855f56cafd704dc3914e0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,fe31722b0194ff76bf8b461e8bf97a2081147787)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,c1c2417c60dbdca5ebb00462f21ee71c2d7f7083)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9e8f6c9d4ecddda2f28baa1678340286cff3969c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9aad71144fa3682cca3837a06c8623016790e7ec)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.12"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.12)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.140,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.86,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.27,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.4,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "created": "2026-05-27T18:15:21.494575+00:00", "updated": "2026-05-28T05:45:05.915902+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}