HIGH 7.5

CVE-2026-46177: Linux Kernel IPMI Driver Denial of Service Vulnerability

A flaw in the Linux kernel's IPMI (Intelligent Platform Management Interface) driver can cause a system to become unresponsive or hang indefinitely. The vulnerability occurs when a Baseboard Management Controller (BMC) continuously reports that it has events or messages to deliver without ever indicating it is finished. The driver lacks safeguards to prevent endless polling loops, allowing a misbehaving BMC—whether due to firmware bugs or hardware issues—to starve system resources and degrade performance or availability. The fix introduces fetch limits and scheduling improvements to prevent the driver from getting stuck in these loops.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
8 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: ipmi: Add limits to event and receive message requests The driver would just fetch events and receive messages until the BMC said it was done. To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time. In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things. If the attn bit gets stuck, it's a similar problem. So allow messages in between flag fetches so the driver itself doesn't get stuck. This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data. This has been there from the beginning of the driver. It's not a bug per-se, but it is accounting for bugs in BMCs.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The IPMI driver in the Linux kernel lacked bounds checking on event and receive message requests from the BMC. When a BMC enters a faulty state and continuously asserts that data is available (without completing delivery), the driver would poll indefinitely, consuming CPU and potentially blocking other operations. Additionally, if the attention bit (used to signal the need for event or message fetches) becomes stuck in hardware, it compounds the problem. The patch adds a 10-fetch limit per cycle and allows interleaved message delivery during flag fetches to prevent driver starvation. This is a defensive fix against BMC implementation issues rather than a direct protocol vulnerability.

Business impact

Affected systems may experience performance degradation, hung tasks, or complete unavailability if the BMC enters a faulty state. In production environments running IPMI-dependent hardware (servers, appliances, data center equipment), this can trigger unexpected downtime, missed service level agreements, or cascading failures. Organizations relying on out-of-band management for recovery may find themselves unable to remotely intervene if the kernel becomes unresponsive due to IPMI polling loops. The impact is highest in environments with older, less-reliable BMC firmware.

Affected systems

The vulnerability affects the Linux kernel across all distributions and versions. Any system running the IPMI driver—typically servers, enterprise workstations, and embedded appliances with baseboard management capabilities—is potentially vulnerable. Organizations should prioritize systems in production use, particularly those with known BMC firmware issues or in environments where uptime is critical. The vulnerability has existed since the IPMI driver's inception, meaning legacy and current kernel versions are affected.

Exploitability

This is not an exploitable vulnerability in the traditional sense; it requires a misbehaving or faulty BMC to trigger. An attacker with direct BMC access could potentially craft malicious firmware or manipulate BMC state to induce the hang, but this requires privileged access to the management interface itself. More commonly, this is triggered by legitimate BMC bugs or hardware degradation. The vulnerability is passively exploitable by any faulty BMC in the management domain, making it a reliability issue rather than an active security attack vector. No network-based exploitation is practical under normal circumstances.

Remediation

Deploy patched kernel versions that include the IPMI driver limits fix. Verify the specific patch commit against your Linux distribution's advisory or kernel.org. Additionally, audit and update BMC firmware to current stable versions, as the vulnerability is fundamentally triggered by BMC misbehavior. For immediate mitigation, disable IPMI driver polling if not operationally required, though this may limit remote management capabilities. Organizations should also monitor BMC health and logs for signs of attention bit stickiness or event queue saturation.

Patch guidance

Obtain kernel updates from your distribution's security repository or kernel.org. Verify that the applied patch includes the 10-fetch limit and attention bit handling improvements described in the fix. Test patches in non-production environments first, particularly in systems with critical BMC dependencies. If using vendor-maintained kernels (RHEL, SLES, Ubuntu LTS, etc.), consult the vendor's security advisory for specific version numbers and update procedures. After patching, monitor system stability and BMC health metrics to confirm the fix is effective.

Detection guidance

Monitor kernel logs for repeated IPMI event fetches or messages from the BMC. Watch for high CPU usage correlated with IPMI driver activity, or processes in uninterruptible sleep (D state) related to ipmi_si or similar drivers. Performance monitoring tools can reveal unexpected latency or stalls when IPMI polling begins. Check BMC firmware logs for attention bit stickiness or event queue saturation. If available, use IPMI monitoring tools to inspect BMC state and verify that event delivery completes normally. Alerting on excessive IPMI driver wakeups or task hangs can help identify problems early.

Why prioritize this

Although not actively exploited in the wild (KEV status: false), the HIGH CVSS score reflects the availability impact: a HIGH severity rating with zero authentication required and network attack surface. In production environments, IPMI driver hangs can cause unscheduled downtime, making this a reliability and business continuity priority. Organizations with critical uptime requirements, large server fleets with mixed BMC firmware versions, or known BMC stability issues should prioritize patching. Delay increases risk of unplanned outages triggered by BMC faults.

Risk score, explained

CVSS 3.1 score of 7.5 (HIGH) is driven by high availability impact (A:H), zero access barriers (AV:N, PR:N), and low attack complexity (AC:L). The score reflects that any network-reachable system running the vulnerable kernel can become unresponsive if its BMC misbehaves or fails. No confidentiality or integrity breach is involved, but denial of service is severe. The nuance is that actual trigger requires BMC-side faults; this is not a remotely weaponizable code injection. The score appropriately elevates the priority due to availability risk in production systems.

Frequently asked questions

Can an attacker exploit this remotely without BMC access?

No. The vulnerability requires a faulty or compromised BMC to trigger continuous event delivery. Remote code execution against the kernel itself is not involved. An attacker would need direct or indirect control over the BMC to craft malicious firmware or manipulate its state, which typically requires privileged access to the management network.

Will patching the kernel alone fix the problem if my BMC firmware is faulty?

Patching the kernel will prevent the driver from hanging even if the BMC misbehaves, but it does not repair the underlying BMC fault. For a complete solution, also update the BMC firmware to the latest stable version. The kernel patch provides resilience; firmware updates address the root cause.

What should I do if I cannot patch immediately?

Disable the IPMI driver if not operationally critical, or restrict BMC access to trusted networks only. Monitor system health closely for signs of hang or performance degradation. Prioritize environments with known BMC stability issues or older hardware. Schedule patching as soon as feasible, since the fix is relatively low-risk and addresses a reliability issue.

Does this vulnerability affect cloud or virtualized systems?

Cloud systems with direct BMC access (bare metal, some dedicated servers) are affected. Virtualized guests without BMC access are not. Consult your cloud provider or hosting environment documentation to determine if IPMI is exposed to your workloads.

This analysis is based on published CVE data and Linux kernel advisories as of the knowledge cutoff. Patch version numbers and specific distribution updates must be verified against official vendor advisories. The vulnerability does not appear in the CISA KEV catalog and has not been observed in active exploitation. Organizations should validate compatibility and test patches in non-production environments before deployment. This is not legal advice; consult with your security and legal teams regarding compliance and incident response obligations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).