Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-46064— ibmasm: fix heap over-read in ibmasm_send_i2o_message()

AI Predicted 5.5 Difficulty: Hard EPSS 0.03% · P10

Possible ATT&CK Techniques 1AI

T1059 · Command and Scripting Interpreter

Affected Version Matrix 18

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< ca1c857e2bb74a9fc0606128334f85316d57067baffected
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< b870f652877bfbe321bd0f4096fc37a93296f7b6affected
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< ce57fa439bd1b5d664f334a0c3e3f0e42abb0153affected
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< fd19eb1c75047a4ed4e855f56cafd704dc3914e0affected
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< fe31722b0194ff76bf8b461e8bf97a2081147787affected
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< c1c2417c60dbdca5ebb00462f21ee71c2d7f7083affected
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< 9e8f6c9d4ecddda2f28baa1678340286cff3969caffected
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< 9aad71144fa3682cca3837a06c8623016790e7ecaffected
… +10 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-46064

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
ibmasm: fix heap over-read in ibmasm_send_i2o_message()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix heap over-read in ibmasm_send_i2o_message() The ibmasm_send_i2o_message() function uses get_dot_command_size() to compute the byte count for memcpy_toio(), but this value is derived from user-controlled fields in the dot_command_header (command_size: u8, data_size: u16) and is never validated against the actual allocation size. A root user can write a small buffer with inflated header fields, causing memcpy_toio() to read up to ~65 KB past the end of the allocation into adjacent kernel heap, which is then forwarded to the service processor over MMIO. Silently clamping the copy size is not sufficient: if the header fields claim a larger size than the buffer, the SP receives a dot command whose own header is inconsistent with the I2O message length, which can cause the SP to desynchronize. Reject such commands outright by returning failure. Validate command_size before calling get_mfa_inbound() to avoid leaking an I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware frame from the controller's free pool, and returning without a corresponding set_mfa_inbound() call would permanently exhaust it. Additionally, clamp command_size to I2O_COMMAND_SIZE before the memcpy_toio() so the MMIO write stays within the I2O message frame, consistent with the clamping already performed by outgoing_message_size() for the header field.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于ibmasm中ibmasm_send_i2o_message函数存在堆越界读取,可能导致读取相邻内核堆数据。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ~ ca1c857e2bb74a9fc0606128334f85316d57067b -
LinuxLinux 2.6.12 -

II. Public POCs for CVE-2026-46064

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-46064

登录查看更多情报信息。

Patches & Fixes for CVE-2026-46064 (7)

Other References for CVE-2026-46064 (1)

Same Patch Batch · Linux · 2026-05-27 · 276 CVEs total

CVE-2026-458989.8 CRITICALRDMA/iwcm: Fix workqueue list corruption by removing work_list
CVE-2026-459729.8 CRITICALsmb: client: fix potential UAF and double free in smb2_open_file()
CVE-2026-460399.8 CRITICALrxgk: Fix potential integer overflow in length check
CVE-2026-459889.8 CRITICALrxrpc: Fix re-decryption of RESPONSE packets
CVE-2026-460439.1 CRITICALRDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
CVE-2026-460568.8 HIGHBluetooth: hci_event: fix potential UAF in SSP passkey handlers
CVE-2026-459458.8 HIGHiommu/vt-d: Fix race condition during PASID entry replacement
CVE-2026-460378.2 HIGHipv4: icmp: validate reply type before using icmp_pointers
CVE-2026-458438.2 HIGHslip: bound decode() reads against the compressed packet length
CVE-2026-460108.1 HIGHrxrpc: Fix error handling in rxgk_extract_token()
CVE-2026-460998.1 HIGHnet: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
CVE-2026-460767.9 HIGHKVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1
CVE-2026-460367.8 HIGHvfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex
CVE-2026-458617.8 HIGHgfs2: Fix slab-use-after-free in qd_put
CVE-2026-458527.8 HIGHRDMA/rxe: Fix double free in rxe_srq_from_init
CVE-2026-459297.8 HIGHovpn: fix possible use-after-free in ovpn_net_xmit
CVE-2026-459847.8 HIGHgfs2: Fix use-after-free in iomap inline data write path
CVE-2026-459337.8 HIGHbpf: Preserve id of register in sync_linked_regs()
CVE-2026-460587.8 HIGHmedia: amphion: Fix race between m2m job_abort and device_run
CVE-2026-459317.8 HIGHaccel/amdxdna: Hold mm structure across iommu_sva_unbind_device()

Showing top 20 of 276 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-46064

No comments yet

Leave a comment