APPLIED[N/J/N:HWE-6.17]/Cmnt: [SRU][Q/N/J][PATCH 0/3] CVE-2026-53176
Stefan Bader
stefan.bader at canonical.com
Thu Jul 16 12:38:33 UTC 2026
On 02/07/2026 15:28, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-53176
>
> [ Impact ]
>
> In the isert (iSER target) driver, isert_login_recv_done() computes the login
> request payload length as wc->byte_len minus ISER_HEADERS_LEN with no lower
> bound, storing it in a signed int. A remote iSER initiator can post a login
> Send work request carrying fewer than ISER_HEADERS_LEN (76) bytes, causing the
> subtraction to underflow and login_req_len to become negative. That negative
> length is later sign-extended into a multi-gigabyte memcpy() length, driving a
> copy far out of bounds of the 8192-byte login buffer and crashing the target
> node. Because the login phase precedes iSCSI authentication, no credentials are
> required to trigger this remotely, making it a critical (CVSS 9.8) issue.
>
> [ Fix ]
>
> questing: clean cherry-pick
> noble: clean cherry-pick
> jammy: clean cherry-pick
> focal: clean cherry-pick
> bionic: clean cherry-pick
> xenial: backported with AI-assisted adaptation
> trusty: backported with AI-assisted adaptation
>
> [ Test Plan ]
>
> Boot tested.
>
> [ Where Problems Could Occur ]
>
> The change adds an early rejection of login PDUs shorter than ISER_HEADERS_LEN
> in the isert RDMA receive path. If the bound check were incorrect, it could
> reject otherwise valid iSER login PDUs and break legitimate iSCSI-over-RDMA
> target logins, though the upper bound was already safe and only the missing
> lower bound is added.
>
Questing is EOL.
Applied to noble,jammy:linux/master-next and
noble:linux-hwe-6.17/hwe-6.17-next. Thanks.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260716/4df91086/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260716/4df91086/attachment-0001.sig>
More information about the kernel-team
mailing list