ACK: [SRU][Q/N/J][PATCH 0/3] CVE-2026-53176
Jian Hui Lee
jianhui.lee at canonical.com
Thu Jul 16 02:22:02 UTC 2026
Acked-by: Jian Hui Lee <jianhui.lee at canonical.com>
On Thu, Jul 02, 2026 at 04:28:55PM +0300, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-53176
>
> [ Impact ]
>
> In the isert (iSER target) driver, isert_login_recv_done() computes the login
> request payload length as wc->byte_len minus ISER_HEADERS_LEN with no lower
> bound, storing it in a signed int. A remote iSER initiator can post a login
> Send work request carrying fewer than ISER_HEADERS_LEN (76) bytes, causing the
> subtraction to underflow and login_req_len to become negative. That negative
> length is later sign-extended into a multi-gigabyte memcpy() length, driving a
> copy far out of bounds of the 8192-byte login buffer and crashing the target
> node. Because the login phase precedes iSCSI authentication, no credentials are
> required to trigger this remotely, making it a critical (CVSS 9.8) issue.
>
> [ Fix ]
>
> questing: clean cherry-pick
> noble: clean cherry-pick
> jammy: clean cherry-pick
> focal: clean cherry-pick
> bionic: clean cherry-pick
> xenial: backported with AI-assisted adaptation
> trusty: backported with AI-assisted adaptation
>
> [ Test Plan ]
>
> Boot tested.
>
> [ Where Problems Could Occur ]
>
> The change adds an early rejection of login PDUs shorter than ISER_HEADERS_LEN
> in the isert RDMA receive path. If the bound check were incorrect, it could
> reject otherwise valid iSER login PDUs and break legitimate iSCSI-over-RDMA
> target logins, though the upper bound was already safe and only the missing
> lower bound is added.
>
More information about the kernel-team
mailing list