[SRU][R][PATCH 0/1] CVE-2026-53176

Cengiz Can cengiz.can at canonical.com
Fri Jul 3 01:56:38 UTC 2026


https://ubuntu.com/security/CVE-2026-53176

[ Impact ]

In the iSER target driver, isert_login_recv_done() computes the login request
payload length as wc->byte_len minus ISER_HEADERS_LEN (76) with no lower bound,
storing the result in a signed int. A remote iSER initiator can post a login
Send work request carrying fewer than ISER_HEADERS_LEN bytes, causing the
subtraction to underflow so login_req_len becomes negative. That negative
length survives the signed min() in isert_rx_login_req() and is sign-extended
to a multi-gigabyte size_t passed to memcpy(), driving an out-of-bounds copy
into the 8192-byte login buffer that faults and crashes the target node.
Because the login phase precedes iSCSI authentication, no credentials are
required to reach this path.

[ Fix ]

resolute: clean cherry-pick

[ Test Plan ]

Boot tested.

[ Where Problems Could Occur ]

A regression would be confined to the InfiniBand iSER target driver (ib_isert);
if the added lower-bound check were incorrect it could reject valid login PDUs
and prevent legitimate iSER initiators from establishing sessions.



More information about the kernel-team mailing list