CVE-2026-46105 Linux CVE debrief

Who should care

System administrators running Linux systems with mpt3sas HBAs connected to NVMe storage; kernel maintainers and distribution security teams packaging kernel updates

Technical summary

The mpt3sas driver in the Linux kernel did not properly limit NVMe request sizes to match its internal 4K PRP list buffer capacity (512 entries, 2 MiB max). The HBA firmware reports MDTS values based on drive capabilities, which could exceed this limit. The vulnerability is resolved by capping max_hw_sectors to the minimum of the reported MDTS and the 2 MiB driver limit, preventing oversized I/O requests that could cause kernel oops conditions.

Defensive priority

high

Recommended defensive actions

• Apply kernel updates containing the mpt3sas NVMe request size limit fix
• Verify mpt3sas driver version includes the max_hw_sectors limitation to 2 MiB
• Monitor systems using mpt3sas HBAs with NVMe drives for stability issues prior to patching
• Review kernel logs for oops traces related to mpt3sas NVMe I/O operations

Evidence notes

The vulnerability description indicates a kernel oops can occur when oversized I/O is issued due to a mismatch between firmware-reported MDTS and the driver's fixed 4K PRP list buffer. The fix was committed to the Linux kernel stable tree.

Official resources