CVE-2026-46128 Linux CVE debrief

Who should care

System administrators managing servers with IPMI/BMC functionality, Linux distribution maintainers, and organizations running Linux on hardware with Baseboard Management Controllers

Technical summary

The Linux kernel IPMI driver did not validate event message buffer response data sizes immediately upon receipt. Some BMC implementations return empty messages rather than error codes when event fetching fails. The vulnerability is resolved by adding early size validation to prevent processing of malformed responses. Patches are available for multiple stable kernel branches.

Defensive priority

medium

Recommended defensive actions

• Apply the relevant stable kernel patch for your kernel version
• Monitor kernel stable mailing lists for backport availability to your specific kernel branch
• Review IPMI/BMC firmware versions and consider updates if available from hardware vendors
• Verify IPMI event logging functionality after kernel update to ensure proper operation

Evidence notes

The vulnerability description indicates this is a resolved kernel issue with patches available. The fix involves adding early validation of IPMI event message buffer responses to handle BMCs that return empty messages. Multiple stable kernel branch commits are referenced, suggesting backports to supported kernel versions.

Official resources