MEDIUM 5.5

CVE-2026-46128

A vulnerability in the Linux kernel's IPMI (Intelligent Platform Management Interface) subsystem allows local authenticated users to cause a denial of service. The issue stems from insufficient validation of event message buffer responses from Baseboard Management Controllers (BMCs). Some BMCs may return empty or malformed event messages instead of proper error responses, which the kernel fails to validate immediately. This can lead to kernel crashes or hangs when processing these invalid responses. The vulnerability requires local access and authenticated privileges to trigger, limiting its immediate blast radius but requiring attention in environments where untrusted local users have system access.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
8 configuration(s)
Published / Modified
2026-05-28 / 2026-06-24

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: ipmi: Check event message buffer response for bad data The event message buffer response data size got checked later when processing, but check it right after the response comes back. It appears some BMCs may return an empty message instead of an error when fetching events. There are apparently some new BMCs that make this error, so we need to compensate.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The IPMI event message handling code in the Linux kernel performs response data size validation too late in the processing pipeline. When a BMC returns an event message with an empty or invalid buffer, the kernel does not immediately sanitize or reject this response. Instead, the validation occurs during downstream processing, allowing malformed data to propagate and potentially cause memory access violations or NULL pointer dereferences. This issue has become more prevalent with newer BMC implementations that exhibit this erroneous behavior. The fix involves moving validation earlier in the response handling flow to catch bad data immediately after it arrives from the BMC, preventing corrupt data from reaching the processing logic.

Business impact

Organizations running Linux systems with IPMI-enabled hardware face potential service disruptions if local users can trigger kernel crashes through this vulnerability. Data center and cloud environments with physical hardware management capabilities are most affected. The impact is primarily availability-focused rather than confidentiality or integrity compromising. Systems that experience kernel panics require manual intervention and recovery, increasing operational overhead. In virtualized or containerized environments where IPMI access is limited, the business risk is lower, but on-premises infrastructure with shared IPMI access warrants remediation planning.

Affected systems

All versions of the Linux kernel incorporating the IPMI subsystem prior to the patch are potentially vulnerable. This includes both older stable kernels and recent distributions. Any Linux system with active IPMI functionality—typically found in enterprise servers, data center hardware, and specialized embedded systems—is in scope. Desktop and laptop systems without IPMI hardware are not affected. Verify your kernel version against your distribution's security advisories for specific patched versions.

Exploitability

Exploitation requires local system access with authenticated user privileges. An attacker cannot exploit this remotely. The attacker must be able to execute code or commands on the affected system to trigger IPMI event message handling. No user interaction is required beyond initial system access. The vulnerability is inherently low in exploitability complexity because the malicious condition (empty BMC response) may occur naturally with certain BMC firmware implementations, meaning even non-malicious BMC behavior could trigger the crash. This makes it a denial of service vector rather than a code execution or privilege escalation path.

Remediation

Update your Linux kernel to a patched version that includes the event message buffer validation fix. Most major distributions have released kernel security updates addressing this issue. Verify your specific distribution's security advisories for exact patch versions. In the interim, restrict local user access to systems with active IPMI if operational security permits. Organizations should prioritize patching production systems running on hardware with IPMI capabilities, particularly in data center and managed service environments where multiple users may have system access.

Patch guidance

Apply the latest kernel security updates from your Linux distribution's official repository. Ubuntu, Red Hat, SUSE, Debian, and other major distributions have published updates. Verify the patch version against your vendor's security advisory before deploying. Test kernel updates in non-production environments first, as they require system reboot. Document patch application for audit and compliance purposes. After patching, confirm IPMI functionality remains operational to ensure the fix does not introduce regression.

Detection guidance

Monitor kernel logs (via journalctl or dmesg) for IPMI-related errors, particularly messages involving event message processing failures or buffer validation errors. Watch for unexpected kernel crashes or reboots on systems with IPMI enabled. System administrators should review BMC firmware versions to identify instances of BMCs known to exhibit empty message returns. Network monitoring can track unusual IPMI traffic patterns, though most activity occurs over out-of-band management channels. Host-based monitoring of process exit codes and system stability can help identify recurring crashes tied to IPMI operations.

Why prioritize this

Although classified as MEDIUM severity, prioritize this vulnerability in environments with IPMI-enabled hardware and multi-user local access. Data centers, cloud providers, and shared hosting infrastructure should patch promptly. Single-user systems or those with strict access controls present lower risk. The lack of KEV (Known Exploited Vulnerability) status indicates limited real-world exploitation, but the natural occurrence of the trigger condition (empty BMC responses) means the vulnerability can be encountered without adversarial intent.

Risk score, explained

The CVSS 3.1 score of 5.5 (MEDIUM) reflects a local attack vector requiring authentication, limited to denial of service impact without confidentiality or integrity compromise. The score appropriately captures that this is not a critical remote vulnerability, but the scope is unaffected, indicating the impact is confined to the vulnerable system. The high availability impact component (A:H) elevates the score within the MEDIUM range due to kernel crash potential. Organizations should contextualize this score within their own risk posture regarding local user trust and IPMI exposure.

Frequently asked questions

What is IPMI and why does it matter for this vulnerability?

IPMI is a standardized interface for out-of-band management of servers and hardware, allowing administrators to monitor and control systems remotely even if the OS is down. The Baseboard Management Controller (BMC) is the embedded computer that handles IPMI requests. This vulnerability affects the Linux kernel's handling of event messages from BMCs, making it relevant to any organization managing physical hardware infrastructure.

Can this vulnerability be exploited remotely?

No. This vulnerability requires local system access with user-level privileges. An attacker cannot exploit it over the network. However, in multi-tenant or shared hosting environments where multiple users have local access, an authenticated user could trigger the denial of service.

Does this affect cloud or virtualized environments?

Cloud environments using virtualized or containerized infrastructure typically do not expose IPMI to guest instances, so they are largely unaffected. However, cloud providers managing physical infrastructure and organizations running on-premises hypervisors with IPMI access should patch. Verify your specific infrastructure architecture with your cloud or virtualization platform vendor.

How do I know if my system has IPMI enabled?

Check for the presence of IPMI device files (typically /dev/ipmi0 or similar) or use the command 'dmidecode' to query DMI data for BMC presence. Servers with out-of-band management typically have IPMI enabled by default. Consult your hardware documentation or system administrator for confirmation.

This analysis is for informational purposes and should not be considered legal or professional security advice. All vulnerability details are based on publicly available information current as of the analysis date. Patch version numbers, affected product lists, and remediation guidance should be verified against official vendor advisories before implementation. Organizations must conduct their own risk assessments and testing before deploying patches or security controls. SEC.co and the author disclaim liability for damages resulting from patch application, system configuration changes, or operational decisions based on this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Related vulnerabilities