HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-53176Published Modified CNA Linux

CVE-2026-53176: IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN

In the Linux kernel, the following vulnerability has been resolved: IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done() computes the login request payload length as wc->byte_len minus ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int. A remote iSER initiator can post a login Send work request carrying fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows and login_req_len becomes negative. isert_rx_login_req() then reads that negative length back into a signed int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the min() is signed it keeps the negative value; the value is then passed as the memcpy() length and sign-extended to a multi-gigabyte size_t. The copy into the 8192-byte login->req_buf runs far out of bounds and faults, crashing the target node. The login phase precedes iSCSI authentication, so no credentials are required to reach this path. Reject any login PDU shorter than ISER_HEADERS_LEN before the subtraction, mirroring the existing early return on a failed work completion, so login_req_len can never go negative. The upper bound was already safe: a posted login buffer cannot deliver more than ISER_RX_PAYLOAD_SIZE, so the difference stays at or below MAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing lower bound needs to be added.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an integer underflow vulnerability in the Linux kernel's iSER (iSCSI Extensions for RDMA) target driver, specifically in the IB/isert login PDU handler. A remote attacker can send a crafted login packet smaller than 76 bytes over the network, requiring no authentication, which causes a signed integer underflow that is later sign-extended into a multi-gigabyte memcpy size, corrupting kernel memory and crashing the target node. The result is a full denial of service via kernel fault, with the additional risk of out-of-bounds memory exposure. Patched-image rebuilds at the available fix versions are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle an affected Linux kernel version. Any image whose kernel falls within the affected version ranges is flagged automatically in the customer registry and CI/CD pipeline scan.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 9.8 (Critical) and weighting it against each environment's compliance policy to determine urgency. Triage results are routed to the appropriate team inbox within each customer organization based on configured ownership and policy rules.

Available
Patch

A patched-image rebuild at the fix versions (5.10.259, 5.15.210, and the associated upstream commits) is available on HarborGuard for any environment running an affected kernel. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the iSER target port over the network; the vulnerable code path is exercised during the iSCSI login phase, which is exposed as a network service.

  • AuthenticationNot required

    No credentials are needed; the vulnerable login PDU handler runs before iSCSI authentication is performed, so any unauthenticated initiator can trigger the underflow.

  • Victim interactionNot required

    The attack is fully remote and unsolicited; the target node processes the malformed login PDU without any action required from an operator or user.

  • Attack complexityDetail

    Exploit reliability is high and the attack is condition-free; the attacker simply sends a login PDU shorter than 76 bytes, and no race conditions or memory layout constraints are required.

Blast Radius

  • The kernel crashes outright on the target node due to a fatal out-of-bounds memcpy, taking down all workloads hosted on that node.
  • Out-of-bounds kernel memory is read and copied during the oversized memcpy, potentially exposing kernel heap contents such as keys, tokens, or other in-flight data.
  • Kernel memory outside the 8192-byte login buffer is overwritten before the fault, which may corrupt data structures belonging to other processes or kernel subsystems on the same host.
  • Any iSER storage target reachable from an untrusted network segment is at risk, since the vulnerable path requires no prior session establishment or privilege.

How HarborGuard Handles This

Available on HarborGuard: detection is matched against customer images within minutes of CVE publication, covering both distribution-packaged kernels and custom-built images that vendor their own kernel. For environments running an affected kernel version, a patched-image rebuild at 5.10.259, 5.15.210, or the corresponding upstream commit is available. Customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a PR opened against affected workloads; for critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in those environments. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with fix-version details so the owning team can act manually. As a compensating control while a rebuild is prepared, customers can apply network policy to restrict which initiator addresses are permitted to reach the iSER target port, limiting the pool of hosts that can send unauthenticated login PDUs.

See how HarborGuard automates this

Fix available

01ca40b243277c9e88be5e00bd3e083f71aefb93e29e7b925ae6df64894e82ab6419994dc25580a8a5.10.2595.15.2106.1.1766.6.1436.12.946.18.367.0.137.175ee6e4aa096aa9e7b2dd5c8ff98356e30aceefbbd22740d7f14cb1c0289444cfd2c8d2938667c1dc1234229399f4af12c553b1b0ffd978eeba65548c5584e089b5af7b3bf8bd5e8ca0560cbf32b0a47df422fd273c96c2ee5beb80fc21adc8c70c29260e8a013c0c3ca2f6708341a56612a3f6d6921620a
Affected packages
  • Linux / Linux
    < 75ee6e4aa096aa9e7b2dd5c8ff98356e30aceefb (from b8d26b3be8b33682cf163274ed07479a70554633) · < e8a013c0c3ca2f6708341a56612a3f6d6921620a (from b8d26b3be8b33682cf163274ed07479a70554633) · < bd22740d7f14cb1c0289444cfd2c8d2938667c1d (from b8d26b3be8b33682cf163274ed07479a70554633) · < c1234229399f4af12c553b1b0ffd978eeba65548 (from b8d26b3be8b33682cf163274ed07479a70554633) · < c5584e089b5af7b3bf8bd5e8ca0560cbf32b0a47 (from b8d26b3be8b33682cf163274ed07479a70554633) · < df422fd273c96c2ee5beb80fc21adc8c70c29260 (from b8d26b3be8b33682cf163274ed07479a70554633)
  • Linux / Linux
    3.10
    Fixed in 0, 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, 7.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References