HIGH 7.8

CVE-2026-46105

A flaw in the Linux kernel's mpt3sas driver allows NVMe storage controllers to accept I/O requests larger than the driver can safely handle. The driver allocates a fixed 4 KB buffer that can hold at most 512 entries in its request queue (PRP list), limiting safe transfers to 2 MiB. However, the firmware may advertise support for larger transfers based on the drive's capabilities. When oversized requests are issued, the kernel can crash. This vulnerability requires local access and valid user privileges to exploit.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
Affected products
3 configuration(s)
Published / Modified
2026-05-28 / 2026-06-25

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Limit NVMe request size to 2 MiB The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB. Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The mpt3sas driver initializes max_hw_sectors based on NVMe MDTS (Maximum Data Transfer Size) values reported by the HBA firmware without accounting for the driver's architectural constraints. The driver's fixed 4 KB PRP (Physical Region Page) list buffer accommodates 512 entries, enforcing a practical 2 MiB transfer limit. When the reported MDTS exceeds this limit, the driver permits I/O requests that exceed its buffer capacity, causing memory corruption and kernel panic when the oversized request is processed. The fix caps max_hw_sectors to the minimum of the firmware-reported MDTS and the 2 MiB driver limit, ensuring all requests remain within safe boundaries.

Business impact

This vulnerability can cause denial of service through kernel crashes on systems using mpt3sas-based NVMe HBAs. Affected systems may experience unexpected reboots, data loss if writes are interrupted, and service unavailability. The impact is limited to local users with valid credentials, but in multi-tenant or shared storage environments, even unprivileged users with login access could trigger the crash. Organizations relying on high-availability storage configurations may face unplanned downtime and disrupted workloads.

Affected systems

The Linux kernel is affected, specifically systems running the mpt3sas driver for Broadcom's storage HBAs that support NVMe. This includes Megaraid SAS 9000 and 9500 series controllers and related variants. Both server-class storage arrays and workstations with these HBAs are at risk. Verify your kernel version and confirm whether mpt3sas is in use via 'lsmod | grep mpt3sas' and check HBA model with 'lspci' for Broadcom/Avago/Seagate storage controllers.

Exploitability

Exploitation requires local system access and user-level privileges (non-root). An attacker must be able to issue I/O requests—for example, through direct file system operations, container orchestration, or virtualized storage access. The barrier to exploitation is moderate; no advanced techniques are needed beyond triggering large I/O transfers. However, the crash is not guaranteed to be exploitable for code execution; the primary impact is denial of service. The vulnerability is not known to be actively exploited in the wild.

Remediation

Apply a kernel patch that implements the MDTS-to-driver-limit capping logic in the mpt3sas driver. Patched versions restrict max_hw_sectors to the smaller of the firmware-reported value and the 2 MiB driver maximum. Verify the patch version against your Linux distribution's security advisory. Until patching is possible, limit I/O request sizes at the application or block device layer, or restrict user access to NVMe storage interfaces.

Patch guidance

Check your Linux distribution's security updates for mpt3sas driver fixes. Kernel patches typically become available in stable release series shortly after vulnerability disclosure. Fedora, RHEL, Ubuntu, Debian, and SUSE generally backport such fixes to supported kernel branches. Consult your vendor's security advisory for exact patched kernel versions. For systems unable to update immediately, use 'blockdev' or storage management tools to impose I/O size limits at the device level as a temporary mitigation.

Detection guidance

Monitor kernel logs (dmesg, /var/log/kern.log) for mpt3sas driver errors and kernel oops messages. Look for stack traces mentioning 'mpt3sas' or 'sas_scsi_host' combined with memory access violations. Enable audit logging for I/O operations if your system supports it. Systems experiencing unexpected crashes or reboots with mpt3sas in the driver stack should be investigated for this vulnerability. Use 'uname -r' to identify your kernel version and cross-reference against patched versions published by your distribution.

Why prioritize this

HIGH severity warrants prompt attention due to denial-of-service impact, broad applicability across Linux-based storage systems, and the simplicity of triggering the flaw from an unprivileged user context. While not critical like code execution flaws, the crash vector directly threatens availability. Prioritize patching for production storage servers, hypervisors, and containerized environments where storage I/O is intensive. Development and test systems are lower priority but should not be neglected.

Risk score, explained

CVSS 3.1 score of 7.8 (HIGH) reflects high impact (complete loss of confidentiality, integrity, and availability via crash) but limited attack vector (local-only) and privilege requirement (low-level user). The score does not account for exploit maturity or prevalence; the vulnerability is not yet in active exploitation. Organizations should weight the score against their own risk tolerance, the prevalence of mpt3sas HBAs in their environment, and the criticality of affected systems.

Frequently asked questions

Which Broadcom HBAs are vulnerable?

Any system using the mpt3sas driver with NVMe support is potentially affected. This includes Megaraid SAS 9000 and 9500 series controllers. Check your system's HBA model with 'lspci | grep -i megaraid' or 'lspci | grep -i broadcom' and verify whether mpt3sas is loaded with 'lsmod | grep mpt3sas'.

Can this vulnerability be exploited remotely?

No. The vulnerability requires local system access and valid user credentials. Remote attackers cannot exploit it directly. However, in cloud or containerized environments, any user with instance or container access becomes a local attacker.

What is the practical window for patching?

Update kernel versions promptly through your distribution's package management system. Most distributions backport such fixes within 1–2 weeks of disclosure to stable and long-term support kernels. Check your vendor's security advisory for timelines and available versions.

Are there workarounds without patching?

Partial mitigation is possible by limiting I/O request sizes via storage management tools or file system parameters, but this does not address the root cause. Patching is the recommended permanent solution.

This analysis is based on publicly available CVE data current as of the publication date. CVSS scores and severity assessments are provided by the CVE source and do not constitute SEC.co risk guidance. Patch versions and timing are subject to change; verify all patch information against your Linux distribution's official security advisory. This page is for informational purposes and does not constitute professional security advice. Organizations should conduct their own risk assessment based on their environment, assets, and threat model. No exploit code or attack demonstrations are provided herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Related vulnerabilities

  • CVE-2026-10001HIGH

    CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free

  • CVE-2026-10002HIGH

    CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)

  • CVE-2026-10003HIGH

    CVE-2026-10003: Chrome Use-After-Free Code Execution Vulnerability Analysis

  • CVE-2026-10006HIGH

    CVE-2026-10006: Chrome WebAudio Race Condition Remote Code Execution

  • CVE-2026-10007HIGH

    CVE-2026-10007: Chrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)

  • CVE-2026-10009HIGH

    CVE-2026-10009: Chrome Skia Integer Overflow Sandbox Escape – Patch Guidance

  • CVE-2026-10012HIGH

    CVE-2026-10012: Chrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)

  • CVE-2026-10013HIGH

    CVE-2026-10013: Use-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment