MEDIUM 5.5

CVE-2026-46108

A flaw in the Linux kernel's IPMI serial interface (SI) driver can leave the system in an abnormal state when message allocation fails. Normally, failed operations trigger cleanup routines that reset the driver to a ready state. This vulnerability occurs because certain error paths skip that reset logic, potentially causing the driver to remain hung or unresponsive. An attacker with local system access could trigger memory allocation failures under specific conditions, degrading system availability until the driver is manually restarted or the system reboots.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
8 configuration(s)
Published / Modified
2026-05-28 / 2026-06-25

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: ipmi:si: Return state to normal if message allocation fails There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46108 addresses a state management defect in the Linux kernel's IPMI SI driver (drivers/ipmi/ipmi_si_intf.c or equivalent). When the driver attempts to allocate a message buffer and the allocation fails, the code path does not properly return the driver to its normal operational state. This leaves internal state variables inconsistent, preventing subsequent message processing attempts from succeeding. The vulnerability is triggered by local privilege escalation or by a privileged process sending requests that exhaust allocator memory, causing the driver to become deadlocked or non-functional without explicit recovery.

Business impact

Systems running affected Linux kernel versions may experience intermittent or sustained loss of IPMI functionality, which is critical for out-of-band management, hardware monitoring, and remote console access on enterprise servers. For data center operations, degraded IPMI availability can complicate incident response, prevent remote system diagnostics, and force physical intervention. The impact is localized to the affected host and requires local access or elevated privileges, limiting blast radius but still materially affecting server operability and management efficiency.

Affected systems

The vulnerability affects all Linux kernel versions that include the IPMI SI driver without this fix applied. Specific kernel version ranges depend on your distribution's backport practices. Verify your kernel version against your vendor's security advisories to confirm exposure. Systems without IPMI hardware or drivers compiled out are not affected. Embedded systems, IoT devices, and servers relying on IPMI for management are most vulnerable.

Exploitability

Exploitation requires local system access and either unprivileged user rights (requiring the attacker to trigger memory pressure via crafted requests) or standard user-level privileges. The attack is not remotely exploitable and does not grant elevated privileges. However, once triggered, the resulting denial of service persists until manual recovery, making it a reliable local availability attack. No known public exploits target this specific flaw, and the CVSS vector indicates this is not prioritized for active exploitation in the wild.

Remediation

Apply the Linux kernel security update that includes the fix for IPMI SI state management. Most distributions have backported this fix into stable branches. Coordinate patching with your change management process, as kernel updates typically require system reboot. Until patching is complete, restrict local system access and monitor for failed IPMI operations. If the IPMI driver is not required for your infrastructure, disabling it via kernel module blacklist or compile-time configuration also mitigates the vulnerability.

Patch guidance

Obtain and install the latest kernel update from your Linux distribution (Red Hat, Ubuntu, SUSE, Debian, etc.). Verify the update includes the IPMI SI state management fix by cross-referencing the CVE ID and published date (2026-05-28) in the release notes. Test patching in a non-production environment first, as kernel updates require reboot. After deployment, confirm the IPMI driver remains functional by querying ipmitool or equivalent monitoring tools. Plan reboots during maintenance windows to minimize management plane downtime.

Detection guidance

Monitor system logs for IPMI driver errors (dmesg, journalctl) that indicate message allocation failures or state inconsistencies. Watch for repeated 'IPMI: out of memory' or similar alloc_failure messages. Test IPMI responsiveness using tools like ipmitool (e.g., 'ipmitool sensor list' or 'ipmitool sel list'). If IPMI commands hang or return timeout errors intermittently, the driver may be in the faulty state described in this CVE. Set up alerting on IPMI command failures to detect active exploitation or environmental stress triggering the condition.

Why prioritize this

This vulnerability merits prompt patching due to its impact on critical server management infrastructure, despite the medium CVSS score. While exploitability requires local access, the severity of losing IPMI functionality in production environments justifies expedited remediation. Organizations with large server estates should prioritize this alongside other kernel updates to reduce operational risk and management overhead.

Risk score, explained

The CVSS 3.1 score of 5.5 (MEDIUM) reflects local attack vector, low complexity, low privilege requirement, and high availability impact with no confidentiality or integrity risk. This accurately represents a local denial-of-service condition affecting a non-critical but operationally important subsystem. The score does not account for business context; environments where IPMI is essential for compliance or disaster recovery may warrant treating this as higher priority internally.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The vulnerability requires local system access and either unprivileged or elevated local privileges. Remote exploitation is not possible. However, an attacker with shell access or a compromised local service could trigger it.

Will disabling IPMI eliminate this risk?

Yes. If your infrastructure does not rely on IPMI for remote management or monitoring, you can safely blacklist the ipmi_si kernel module or compile the driver out during kernel build. Verify that no required management tools depend on IPMI before disabling it.

Does this vulnerability allow privilege escalation or data exfiltration?

No. The vulnerability results only in a denial-of-service condition affecting the IPMI driver itself. It does not enable privilege escalation, code execution, or unauthorized data access. Once the driver recovers (via reboot or driver reload), system security posture is unchanged.

What should I do if I cannot patch immediately?

Restrict local user access and monitor for IPMI errors in system logs. Ensure your monitoring and alerting systems are configured to detect IPMI command failures. Prioritize this update in your next patching cycle; the risk is localized to management plane availability, not data confidentiality or system compromise.

This analysis is based on the CVE record published 2026-05-28 and modified 2026-06-25. Specific affected kernel versions and patch availability vary by Linux distribution. Consult your vendor's security advisory for precise version information and remediation timelines. This document does not constitute legal or compliance advice. Organizations should validate all recommendations in their own environment before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Related vulnerabilities