CVE-2026-46022
Severity CVSS v4.0:
Pending analysis
Type:
CWE-125
Out-of-bounds Read
Publication date:
27/05/2026
Last modified:
16/06/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()<br />
<br />
ibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read<br />
when the queue reader or writer index from hardware exceeds<br />
REMOTE_QUEUE_SIZE (60).<br />
<br />
A compromised service processor can trigger this by writing an<br />
out-of-range value to the reader or writer MMIO register before<br />
asserting an interrupt. Since writer is re-read from hardware on<br />
every loop iteration, it can also be set to an out-of-range value<br />
after the loop has already started.<br />
<br />
The root cause is that get_queue_reader() and get_queue_writer() return<br />
raw readl() values that are passed directly into get_queue_entry(),<br />
which computes:<br />
<br />
queue_begin + reader * sizeof(struct remote_input)<br />
<br />
with no bounds check. This unchecked MMIO address is then passed to<br />
memcpy_fromio(), reading 8 bytes from unintended device registers.<br />
For sufficiently large values the address falls outside the PCI BAR<br />
mapping entirely, triggering a machine check exception.<br />
<br />
Fix by checking both indices against REMOTE_QUEUE_SIZE at the top of<br />
the loop body, before any call to get_queue_entry(). On an out-of-range<br />
value, reset the reader register to 0 via set_queue_reader() before<br />
breaking, so that normal queue operation can resume if the corrupted<br />
hardware state is transient.
Impact
Base Score 3.x
7.10
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.13 (including) | 5.10.258 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.209 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.175 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.140 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.86 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.27 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 7.0.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/07c4f18b303106e6b24492c12b95d48a4b985841
- https://git.kernel.org/stable/c/1ca75f6b74ec7f685464e5745ecfcf3a76d284e9
- https://git.kernel.org/stable/c/22a16d3eafee92a165c756081587c95850127107
- https://git.kernel.org/stable/c/4b6e6ead556734bdc14024c5f837132b1e7a4b84
- https://git.kernel.org/stable/c/6f6ecc9153df176e956d0664b56f93080b0a45f0
- https://git.kernel.org/stable/c/bac8643486f854dd53af9b23aea7dbbd9b7c1865
- https://git.kernel.org/stable/c/f7e5b4eefd7be3e09f8bd5fee63ed478fd7446ab
- https://git.kernel.org/stable/c/fc7e9a74e32299d7e93e178ca482a0b59ef1595b



