CVE-2026-46149
A vulnerability in the Linux kernel's SCSI target subsystem allows a local attacker with low privileges to read sensitive kernel memory and potentially crash the system. The issue occurs in the configfs interface where storage path group membership information is displayed. When a storage fabric's name is unusually long, the kernel writes more data than expected to a temporary buffer, and then copies that overrun data to a user-readable sysfs file. On systems with fortify checks enabled, this causes a kernel panic; on others, it leaks kernel memory to unprivileged users.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
- Weaknesses (CWE)
- CWE-674
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer. snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes. The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered. Commit 27e06650a5ea ("scsi: target: target_core_configfs: Add length check to avoid buffer overflow") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in target_tg_pt_gp_members_show(), a sysfs callback in the Linux SCSI target subsystem. The function uses snprintf() to format LUN (Logical Unit Number) paths into a 256-byte stack buffer. snprintf() returns the number of bytes that would have been written if the buffer were large enough, not the actual bytes written. When an iSCSI IQN name (which can be up to 223 bytes) is long, snprintf() returns a value exceeding 256. The subsequent memcpy() operation reads cur_len bytes from the stack buffer without bounds-checking the source. This causes out-of-bounds reads from the kernel stack, copying adjacent kernel memory into userspace via the sysfs interface. When CONFIG_FORTIFY_SOURCE is enabled, the fortify_panic() macro detects the overrun and triggers a kernel panic. The fix mirrors a prior patch (commit 27e06650a5ea) applied to a similar function, target_lu_gp_members_show(), which had already been corrected but was missed in this variant.
Business impact
This vulnerability creates two distinct business risks. First, any local user on an affected system can trigger a denial-of-service condition, rendering storage services unavailable without requiring root privileges. Second, on systems without fortification mitigations, kernel memory disclosure enables privilege escalation reconnaissance—an attacker can read sensitive kernel state to identify gadgets or credentials for further exploitation. For organizations operating Linux-based storage appliances, SAN controllers, or hypervisors, this translates to potential service disruptions and heightened risk of lateral movement if memory disclosure is exploited.
Affected systems
All Linux kernel versions containing the vulnerable code path in the SCSI target subsystem's configfs interface are affected. This impacts systems running the Linux kernel with SCSI target support enabled (typically storage appliances, hypervisors, and systems exporting block devices via iSCSI or other SCSI-over-fabric protocols). Systems must have the target subsystem configured and the sysfs interface accessible to local users to be exploitable.
Exploitability
Exploitation requires local access and low privileges (a standard unprivileged user account). No network access is needed. An attacker simply reads from /sys/kernel/config/target/iscsi/.../tg_pt_gp/*/members to trigger the vulnerability. Triggering denial-of-service on CONFIG_FORTIFY_SOURCE systems is trivial; leaking kernel memory on systems without fortification requires reading the sysfs file repeatedly to extract useful data. The barrier to exploitation is low.
Remediation
Apply the kernel patch that bounds the snprintf() return value before using it in memcpy(), matching the fix already applied to target_lu_gp_members_show(). The patch ensures that only the actual bytes written to the buffer (capped at the buffer size) are read and copied to userspace. Verify the patch version against your Linux distribution's security advisory. Interim mitigation: restrict access to /sys/kernel/config/target via file permissions or namespacing if local user access can be limited.
Patch guidance
Patches are available through your Linux distribution's security update channels. Check advisories from Red Hat, Canonical, SUSE, and other vendors for kernel updates addressing CVE-2026-46149. The fix involves a bounds check on the snprintf() return value in tg_pt_gp_members_show(). Apply the latest stable or LTS kernel version recommended by your vendor. Test in a non-production environment before rolling out broadly, particularly on storage-critical systems.
Detection guidance
Monitor kernel logs for fortify_panic() messages or stack overflow warnings on systems with CONFIG_FORTIFY_SOURCE enabled, which indicate exploitation attempts. On systems without fortification, detection is difficult; however, repeated non-root access to /sys/kernel/config/target/**/members files may signal reconnaissance. Implement file integrity monitoring on configfs paths if feasible. Intrusion detection can flag unusual sysfs reads from unprivileged processes. Consider restricting sysfs access via AppArmor, SELinux, or Seccomp policies to mitigate attack surface.
Why prioritize this
This is a HIGH-severity local privilege escalation and denial-of-service issue (CVSS 7.1). While it requires local access, it is trivial to trigger and affects any system running affected Linux kernels with SCSI target support. Storage appliances, hypervisors, and multi-tenant systems are at elevated risk. Rapid patching is warranted for production storage infrastructure.
Risk score, explained
CVSS 3.1 score of 7.1 (HIGH) reflects: local attack vector (AV:L), low attack complexity (AC:L), low privilege requirements (PR:L), no user interaction (UI:N), and impacts to both confidentiality (information disclosure via memory leak) and availability (kernel panic). The absence of integrity impact (I:N) prevents a critical rating, but the combination of memory leak and DoS makes this a strong HIGH priority.
Frequently asked questions
Do I need network access to exploit this?
No. This vulnerability requires only local access to the affected system. An unprivileged user account is sufficient to read the vulnerable sysfs file and trigger either a kernel panic or memory leak.
How long have these systems been vulnerable?
The vulnerable code path has existed in the Linux kernel's SCSI target subsystem for some time. A similar vulnerability in target_lu_gp_members_show() was patched in commit 27e06650a5ea, but the tg_pt_gp variant was missed until now. Check your kernel version and release notes for the exact affected range.
What does 'CONFIG_FORTIFY_SOURCE' do in this context?
CONFIG_FORTIFY_SOURCE is a kernel hardening feature that detects buffer overruns at runtime and triggers a panic rather than allowing silent memory corruption. On systems with this enabled, the vulnerability causes an immediate denial-of-service. Without it, the overflow is silent, allowing kernel memory disclosure but no crash—making it actually more dangerous for attackers seeking reconnaissance.
Are container or VM environments at higher risk?
Hypervisors and container hosts running the Linux kernel with SCSI target support are at elevated risk if local user access is permitted (e.g., in multi-tenant scenarios). Single-tenant or restricted-access systems face lower risk, but any system allowing unprivileged local users should prioritize patching.
This analysis is based on publicly disclosed vulnerability information and the CVE record as of the publication date. Patch availability, affected versions, and vendor timelines are subject to change; always consult official vendor security advisories for your specific distribution and kernel version. SEC.co does not provide guaranteed accuracy for future patch releases or exploit proof-of-concepts. Use this intelligence as one input among many in your risk assessment and patching decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-40989MEDIUM
CVE-2026-40989: Spring Cloud Function Infinite Recursion OOM Vulnerability
- CVE-2026-10001HIGH
CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGH
CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGH
CVE-2026-10003: Chrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGH
CVE-2026-10006: Chrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10007HIGH
CVE-2026-10007: Chrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10009HIGH
CVE-2026-10009: Chrome Skia Integer Overflow Sandbox Escape – Patch Guidance
- CVE-2026-10012HIGH
CVE-2026-10012: Chrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)