CVE-2026-46022 (GCVE-0-2026-46022)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:56 – Updated: 2026-05-27 12:56
VLAI
Title
misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()
Summary
In the Linux kernel, the following vulnerability has been resolved: misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt() ibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read when the queue reader or writer index from hardware exceeds REMOTE_QUEUE_SIZE (60). A compromised service processor can trigger this by writing an out-of-range value to the reader or writer MMIO register before asserting an interrupt. Since writer is re-read from hardware on every loop iteration, it can also be set to an out-of-range value after the loop has already started. The root cause is that get_queue_reader() and get_queue_writer() return raw readl() values that are passed directly into get_queue_entry(), which computes: queue_begin + reader * sizeof(struct remote_input) with no bounds check. This unchecked MMIO address is then passed to memcpy_fromio(), reading 8 bytes from unintended device registers. For sufficiently large values the address falls outside the PCI BAR mapping entirely, triggering a machine check exception. Fix by checking both indices against REMOTE_QUEUE_SIZE at the top of the loop body, before any call to get_queue_entry(). On an out-of-range value, reset the reader register to 0 via set_queue_reader() before breaking, so that normal queue operation can resume if the corrupted hardware state is transient.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 278d72ae8803ffcd16070c95fe1d53f4466dc741 , < fc7e9a74e32299d7e93e178ca482a0b59ef1595b (git)
Affected: 278d72ae8803ffcd16070c95fe1d53f4466dc741 , < 07c4f18b303106e6b24492c12b95d48a4b985841 (git)
Affected: 278d72ae8803ffcd16070c95fe1d53f4466dc741 , < 22a16d3eafee92a165c756081587c95850127107 (git)
Affected: 278d72ae8803ffcd16070c95fe1d53f4466dc741 , < 1ca75f6b74ec7f685464e5745ecfcf3a76d284e9 (git)
Affected: 278d72ae8803ffcd16070c95fe1d53f4466dc741 , < 4b6e6ead556734bdc14024c5f837132b1e7a4b84 (git)
Create a notification for this product.
Linux Linux Affected: 2.6.13
Unaffected: 0 , < 2.6.13 (semver)
Unaffected: 6.6.140 , ≤ 6.6.* (semver)
Unaffected: 6.12.86 , ≤ 6.12.* (semver)
Unaffected: 6.18.27 , ≤ 6.18.* (semver)
Unaffected: 7.0.4 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/ibmasm/remote.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fc7e9a74e32299d7e93e178ca482a0b59ef1595b",
              "status": "affected",
              "version": "278d72ae8803ffcd16070c95fe1d53f4466dc741",
              "versionType": "git"
            },
            {
              "lessThan": "07c4f18b303106e6b24492c12b95d48a4b985841",
              "status": "affected",
              "version": "278d72ae8803ffcd16070c95fe1d53f4466dc741",
              "versionType": "git"
            },
            {
              "lessThan": "22a16d3eafee92a165c756081587c95850127107",
              "status": "affected",
              "version": "278d72ae8803ffcd16070c95fe1d53f4466dc741",
              "versionType": "git"
            },
            {
              "lessThan": "1ca75f6b74ec7f685464e5745ecfcf3a76d284e9",
              "status": "affected",
              "version": "278d72ae8803ffcd16070c95fe1d53f4466dc741",
              "versionType": "git"
            },
            {
              "lessThan": "4b6e6ead556734bdc14024c5f837132b1e7a4b84",
              "status": "affected",
              "version": "278d72ae8803ffcd16070c95fe1d53f4466dc741",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/ibmasm/remote.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.13"
            },
            {
              "lessThan": "2.6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc1",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()\n\nibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read\nwhen the queue reader or writer index from hardware exceeds\nREMOTE_QUEUE_SIZE (60).\n\nA compromised service processor can trigger this by writing an\nout-of-range value to the reader or writer MMIO register before\nasserting an interrupt. Since writer is re-read from hardware on\nevery loop iteration, it can also be set to an out-of-range value\nafter the loop has already started.\n\nThe root cause is that get_queue_reader() and get_queue_writer() return\nraw readl() values that are passed directly into get_queue_entry(),\nwhich computes:\n\n  queue_begin + reader * sizeof(struct remote_input)\n\nwith no bounds check. This unchecked MMIO address is then passed to\nmemcpy_fromio(), reading 8 bytes from unintended device registers.\nFor sufficiently large values the address falls outside the PCI BAR\nmapping entirely, triggering a machine check exception.\n\nFix by checking both indices against REMOTE_QUEUE_SIZE at the top of\nthe loop body, before any call to get_queue_entry(). On an out-of-range\nvalue, reset the reader register to 0 via set_queue_reader() before\nbreaking, so that normal queue operation can resume if the corrupted\nhardware state is transient."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T12:56:26.791Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fc7e9a74e32299d7e93e178ca482a0b59ef1595b"
        },
        {
          "url": "https://git.kernel.org/stable/c/07c4f18b303106e6b24492c12b95d48a4b985841"
        },
        {
          "url": "https://git.kernel.org/stable/c/22a16d3eafee92a165c756081587c95850127107"
        },
        {
          "url": "https://git.kernel.org/stable/c/1ca75f6b74ec7f685464e5745ecfcf3a76d284e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b6e6ead556734bdc14024c5f837132b1e7a4b84"
        }
      ],
      "title": "misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46022",
    "datePublished": "2026-05-27T12:56:26.791Z",
    "dateReserved": "2026-05-13T15:03:33.092Z",
    "dateUpdated": "2026-05-27T12:56:26.791Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-46022",
      "date": "2026-05-29",
      "epss": "0.00018",
      "percentile": "0.05164"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46022\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-27T14:17:20.670\",\"lastModified\":\"2026-05-27T14:48:03.013\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmisc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()\\n\\nibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read\\nwhen the queue reader or writer index from hardware exceeds\\nREMOTE_QUEUE_SIZE (60).\\n\\nA compromised service processor can trigger this by writing an\\nout-of-range value to the reader or writer MMIO register before\\nasserting an interrupt. Since writer is re-read from hardware on\\nevery loop iteration, it can also be set to an out-of-range value\\nafter the loop has already started.\\n\\nThe root cause is that get_queue_reader() and get_queue_writer() return\\nraw readl() values that are passed directly into get_queue_entry(),\\nwhich computes:\\n\\n  queue_begin + reader * sizeof(struct remote_input)\\n\\nwith no bounds check. This unchecked MMIO address is then passed to\\nmemcpy_fromio(), reading 8 bytes from unintended device registers.\\nFor sufficiently large values the address falls outside the PCI BAR\\nmapping entirely, triggering a machine check exception.\\n\\nFix by checking both indices against REMOTE_QUEUE_SIZE at the top of\\nthe loop body, before any call to get_queue_entry(). On an out-of-range\\nvalue, reset the reader register to 0 via set_queue_reader() before\\nbreaking, so that normal queue operation can resume if the corrupted\\nhardware state is transient.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/07c4f18b303106e6b24492c12b95d48a4b985841\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1ca75f6b74ec7f685464e5745ecfcf3a76d284e9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/22a16d3eafee92a165c756081587c95850127107\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4b6e6ead556734bdc14024c5f837132b1e7a4b84\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fc7e9a74e32299d7e93e178ca482a0b59ef1595b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.