CVE-2026-46149

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()<br /> <br /> target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a<br /> 256-byte stack buffer, then will memcpy() cur_len bytes from that<br /> buffer. snprintf() returns the length the output would have had, which<br /> can exceed the buffer size when the fabric WWN is long because iSCSI IQN<br /> names can be up to 223 bytes. The check at the memcpy() site only<br /> guards the destination page write, not the source read, so memcpy() will<br /> read past the stack buffer and copy adjacent stack contents to the sysfs<br /> reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic()<br /> will be triggered.<br /> <br /> Commit 27e06650a5ea ("scsi: target: target_core_configfs: Add length<br /> check to avoid buffer overflow") added the same bound to the<br /> target_lu_gp_members_show() but the tg_pt_gp variant was missed so<br /> resolve that here.