Cyber Resilience

CVE-2026-31464

High

Published: 22 April 2026

Published
22 April 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0027 19.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31464 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31464 is an out-of-bounds memory access vulnerability in the Linux kernel's ibmvfc (IBM Virtual Fibre Channel) SCSI driver, specifically within the ibmvfc_discover_targets_done() function. A malicious or compromised Virtual I/O (VIO) server can supply a num_written value in the discover targets MAD response that exceeds the max_targets limit. This value is stored directly in vhost->num_targets without validation and later used as the loop bound in ibmvfc_alloc_targets() to index into the disc_buf[] array, which is allocated only for max_targets entries, resulting in access to kernel memory outside the DMA-coherent allocation.

Exploitation requires adjacent network access (AV:A) with low complexity (AC:L) and no privileges (PR:N), allowing unauthenticated attackers controlling a VIO server to trigger the issue. Successful exploitation leads to high confidentiality impact through leakage of out-of-bounds kernel memory data, which is embedded in subsequent Implicit Logout and PLOGI MADs sent back to the VIO server, alongside high availability impact. The CVSS v3.1 base score is 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

Mitigation patches clamp the num_written value to max_targets before storing it in vhost->num_targets, preventing the out-of-bounds access. These fixes are available in multiple Linux kernel stable branches via commits at git.kernel.org/stable, including 394a1cac3c12fdd7d77f19ccfd222ab5ff87ef89, 4ed727e35b0ab17d3eeeb1e8023768396e2be161, 61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f, 786f10b1966e485046839f992e89f2c18cbd1983, and a007246cb6c9ebdc93dafbf63cc2d43d98f402cc.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() A malicious or compromised VIO server can return a num_written value in the discover targets MAD response that exceeds max_targets. This value is…

more

stored directly in vhost->num_targets without validation, and is then used as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which is only allocated for max_targets entries. Indices at or beyond max_targets access kernel memory outside the DMA-coherent allocation. The out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI MADs that are sent back to the VIO server, leaking kernel memory. Fix by clamping num_written to max_targets before storing it.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
Why these techniques?

OOB read in kernel driver enables direct leakage of kernel memory (facilitating T1005 data collection and T1212 credential access via memory disclosure) plus high availability impact via crash/DoS (T1499); exploited remotely by malicious VIO server with no auth required.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2022-49518Same product: Linux Linux Kernel
CVE-2022-49145Same product: Linux Linux Kernel
CVE-2022-49094Same product: Linux Linux Kernel
CVE-2022-49395Same product: Linux Linux Kernel
CVE-2025-71116Same product: Linux Linux Kernel
CVE-2025-71201Same product: Linux Linux Kernel
CVE-2022-49251Same product: Linux Linux Kernel
CVE-2025-21742Same product: Linux Linux Kernel
CVE-2026-23187Same product: Linux Linux Kernel
CVE-2025-71093Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 2.6.27 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.168

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs like num_written from VIO server MAD responses to prevent out-of-bounds indexing into the disc_buf array.

prevent

Ensures timely identification, testing, and deployment of kernel patches that clamp num_written to max_targets, eliminating the vulnerability.

prevent

Implements kernel memory safeguards to mitigate impacts of out-of-bounds access and leakage of sensitive kernel data in MAD responses.

References