PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46149 Linux CVE debrief

A buffer over-read vulnerability exists in the Linux kernel's SCSI target subsystem. The function `tg_pt_gp_members_show()` in `drivers/target/target_core_configfs.c` uses `snprintf()` to format LUN paths into a 256-byte stack buffer, then copies the result using `memcpy()` based on `snprintf()`'s return value. Because `snprintf()` returns the length the output *would* have had (not the truncated length), and iSCSI IQN names can reach 223 bytes, the return value can exceed the buffer size. The existing check only validates the destination page write, not the source read, causing `memcpy()` to read past the stack buffer boundary. When `CONFIG_FORTIFY_SOURCE` is enabled, this triggers `fortify_panic()`. This vulnerability is the `tg_pt_gp_members_show()` variant of a similar issue previously fixed in `target_lu_gp_members_show()` via commit 27e06650a5ea.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

System administrators running Linux kernels with iSCSI target mode (LIO/target_core_mod) enabled; security teams monitoring for kernel memory safety issues; organizations with `CONFIG_FORTIFY_SOURCE` enabled experiencing unexpected `fortify_panic()` events.

Technical summary

The vulnerability stems from incorrect handling of `snprintf()` return values in `tg_pt_gp_members_show()`. When formatting LUN paths with long iSCSI IQN names (up to 223 bytes), the unconstrained return value causes `memcpy()` to read beyond the 256-byte stack buffer. The fix bounds the return value to `sizeof(buf) - 1`, matching the pattern applied to `target_lu_gp_members_show()` in commit 27e06650a5ea.

Defensive priority

medium

Recommended defensive actions

  • Apply the relevant stable kernel patch for your branch: 6.14 (ref-4), 6.12 (ref-5), 6.6 (ref-6), 6.1 (ref-7), or 5.15 (ref-8)
  • Rebuild kernel with the applied patch and reboot systems serving iSCSI targets
  • Verify CONFIG_FORTIFY_SOURCE is enabled to detect similar memory safety issues
  • Audit custom SCSI target configurations with long fabric WWN names for potential exposure
  • Monitor kernel logs for fortify_panic() messages indicating exploitation attempts

Evidence notes

The CVE description and kernel commit references confirm the vulnerability is a stack buffer over-read in SCSI target configfs handling, specifically in `tg_pt_gp_members_show()`. The fix applies the same pattern used in commit 27e06650a5ea for `target_lu_gp_members_show()`. Multiple stable kernel branches received backports.

Official resources

The vulnerability was disclosed via the Linux kernel stable tree with patches published on 2026-05-28. The issue was resolved by bounding the `snprintf()` return value to prevent the over-read condition.