CVE-2026-31464
Published: 22 April 2026
Summary
CVE-2026-31464 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of untrusted inputs like num_written from VIO server MAD responses to prevent out-of-bounds indexing into the disc_buf array.
Ensures timely identification, testing, and deployment of kernel patches that clamp num_written to max_targets, eliminating the vulnerability.
Implements kernel memory safeguards to mitigate impacts of out-of-bounds access and leakage of sensitive kernel data in MAD responses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read in kernel driver enables direct leakage of kernel memory (facilitating T1005 data collection and T1212 credential access via memory disclosure) plus high availability impact via crash/DoS (T1499); exploited remotely by malicious VIO server with no auth required.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() A malicious or compromised VIO server can return a num_written value in the discover targets MAD response that exceeds max_targets. This value is…
more
stored directly in vhost->num_targets without validation, and is then used as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which is only allocated for max_targets entries. Indices at or beyond max_targets access kernel memory outside the DMA-coherent allocation. The out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI MADs that are sent back to the VIO server, leaking kernel memory. Fix by clamping num_written to max_targets before storing it.
Deeper analysisAI
CVE-2026-31464 is an out-of-bounds memory access vulnerability in the Linux kernel's ibmvfc (IBM Virtual Fibre Channel) SCSI driver, specifically within the ibmvfc_discover_targets_done() function. A malicious or compromised Virtual I/O (VIO) server can supply a num_written value in the discover targets MAD response that exceeds the max_targets limit. This value is stored directly in vhost->num_targets without validation and later used as the loop bound in ibmvfc_alloc_targets() to index into the disc_buf[] array, which is allocated only for max_targets entries, resulting in access to kernel memory outside the DMA-coherent allocation.
Exploitation requires adjacent network access (AV:A) with low complexity (AC:L) and no privileges (PR:N), allowing unauthenticated attackers controlling a VIO server to trigger the issue. Successful exploitation leads to high confidentiality impact through leakage of out-of-bounds kernel memory data, which is embedded in subsequent Implicit Logout and PLOGI MADs sent back to the VIO server, alongside high availability impact. The CVSS v3.1 base score is 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
Mitigation patches clamp the num_written value to max_targets before storing it in vhost->num_targets, preventing the out-of-bounds access. These fixes are available in multiple Linux kernel stable branches via commits at git.kernel.org/stable, including 394a1cac3c12fdd7d77f19ccfd222ab5ff87ef89, 4ed727e35b0ab17d3eeeb1e8023768396e2be161, 61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f, 786f10b1966e485046839f992e89f2c18cbd1983, and a007246cb6c9ebdc93dafbf63cc2d43d98f402cc.
Details
- CWE(s)