CVE-2026-46149

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
28/05/2026
Last modified:
10/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()<br /> <br /> target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a<br /> 256-byte stack buffer, then will memcpy() cur_len bytes from that<br /> buffer. snprintf() returns the length the output would have had, which<br /> can exceed the buffer size when the fabric WWN is long because iSCSI IQN<br /> names can be up to 223 bytes. The check at the memcpy() site only<br /> guards the destination page write, not the source read, so memcpy() will<br /> read past the stack buffer and copy adjacent stack contents to the sysfs<br /> reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic()<br /> will be triggered.<br /> <br /> Commit 27e06650a5ea ("scsi: target: target_core_configfs: Add length<br /> check to avoid buffer overflow") added the same bound to the<br /> target_lu_gp_members_show() but the tg_pt_gp variant was missed so<br /> resolve that here.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 2.6.38 (including) 5.10.258 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.209 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.175 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.140 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.88 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.18.30 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 7.0.7 (excluding)
cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*