HarborGuard / CVE
Back to search
HIGHCVE-2026-46177Published Modified CNA Linux

CVE-2026-46177: ipmi: Add limits to event and receive message requests

In the Linux kernel, the following vulnerability has been resolved: ipmi: Add limits to event and receive message requests The driver would just fetch events and receive messages until the BMC said it was done. To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time. In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things. If the attn bit gets stuck, it's a similar problem. So allow messages in between flag fetches so the driver itself doesn't get stuck. This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data. This has been there from the beginning of the driver. It's not a bug per-se, but it is accounting for bugs in BMCs.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a denial-of-service vulnerability in the Linux kernel's IPMI (Intelligent Platform Management Interface) driver. The driver can be reached over the network and requires no authentication, and the flaw allows a misbehaving or malicious BMC (Baseboard Management Controller) to keep the driver in an infinite fetch loop by never signaling completion, exhausting the host system. Successful exploitation causes the affected service or system to become unresponsive. A patched-image rebuild is available on HarborGuard for environments running affected kernel versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle affected Linux kernel versions. Any image whose kernel falls in the affected version range is flagged automatically in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 7.5 (HIGH) and weights it against each environment's compliance policy to determine escalation priority. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild targeting the fix commits (upstream, 6.6.140, 6.12.88, and 6.18.30) is available on HarborGuard for images running an affected kernel version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable IPMI driver is exposed over the network, meaning an attacker or a rogue BMC reachable over the network can trigger the loop condition.

  • AuthenticationNot required

    No authentication is needed to trigger the condition; the misbehaving BMC behavior alone is sufficient to send the driver into a stuck state.

  • Victim interactionNot required

    No user or administrator action is required; the driver processes BMC responses autonomously without any interactive step.

  • Attack complexityDetail

    Attack complexity is low: the exploit requires no special conditions, race windows, or environmental tuning to trigger the infinite fetch loop.

Blast Radius

  • The affected host's IPMI driver enters an infinite or near-infinite fetch loop, consuming CPU and kernel scheduling resources.
  • The hung driver causes the IPMI subsystem to become unresponsive, blocking platform management operations such as sensor polling, fan control, and out-of-band management.
  • Sustained resource exhaustion can render the host kernel unresponsive or force a system restart, causing a full denial of service for workloads running on that host.

How HarborGuard Handles This

Available on HarborGuard: images containing Linux kernels in the affected version range are detected automatically at ingest time and flagged as HIGH severity. For customers with auto-remediation enabled, HarborGuard can rebuild the image at a patched kernel version (6.6.140, 6.12.88, 6.18.30, or the upstream fix commit for other branches), run a regression test suite against the rebuilt image, and open a pull request against affected workloads. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval before patching, the finding is queued and routed to the designated team inbox with full CVSS context attached. As an interim compensating control, customers can apply network policy rules to restrict IPMI/BMC network access to trusted management VLANs only, reducing the attack surface while a kernel update is staged.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

03d37d2165df9504ea99d9e6181552dc4d2d1ab376.6.1406.12.886.18.3067c44e0deba936d5edaebea356b4589eb43acb5c7.0.77.1-rc3c024167fb00489baee08c72182ca2e7dc5fb9f20c4cca236968683eb0d59abfb12d5c7e4d8514227e20212b431bef217d3886b86bbc90cc3ed00de68
Affected packages
  • Linux / Linux
    < 67c44e0deba936d5edaebea356b4589eb43acb5c (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < e20212b431bef217d3886b86bbc90cc3ed00de68 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 3d37d2165df9504ea99d9e6181552dc4d2d1ab37 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < c024167fb00489baee08c72182ca2e7dc5fb9f20 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < c4cca236968683eb0d59abfb12d5c7e4d8514227 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2)
  • Linux / Linux
    2.6.12
    Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References