{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23059", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.952Z", "datePublished": "2026-02-04T16:07:42.150Z", "dateUpdated": "2026-05-11T21:59:12.428Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:59:12.428Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Sanitize payload size to prevent member overflow\n\nIn qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_size\nreported by firmware is used to calculate the copy length into\nitem->iocb. However, the iocb member is defined as a fixed-size 64-byte\narray within struct purex_item.\n\nIf the reported frame_size exceeds 64 bytes, subsequent memcpy calls will\noverflow the iocb member boundary. While extra memory might be allocated,\nthis cross-member write is unsafe and triggers warnings under\nCONFIG_FORTIFY_SOURCE.\n\nFix this by capping total_bytes to the size of the iocb member (64 bytes)\nbefore allocation and copying. This ensures all copies remain within the\nbounds of the destination structure member."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/qla2xxx/qla_isr.c"], "versions": [{"version": "875386b98857822b77ac7f95bdf367b70af5b78c", "lessThan": "408bfa8d70f79ac696cec1bdbdfb3bf43a02e6d0", "status": "affected", "versionType": "git"}, {"version": "875386b98857822b77ac7f95bdf367b70af5b78c", "lessThan": "1922468a4a80424e5a69f7ba50adcee37f4722e9", "status": "affected", "versionType": "git"}, {"version": "875386b98857822b77ac7f95bdf367b70af5b78c", "lessThan": "aa14451fa5d5f2de919384c637e2a8c604e1a1fe", "status": "affected", "versionType": "git"}, {"version": "875386b98857822b77ac7f95bdf367b70af5b78c", "lessThan": "19bc5f2a6962dfaa0e32d0e0bc2271993d85d414", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/qla2xxx/qla_isr.c"], "versions": [{"version": "6.6", "status": "affected"}, {"version": "0", "lessThan": "6.6", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/408bfa8d70f79ac696cec1bdbdfb3bf43a02e6d0"}, {"url": "https://git.kernel.org/stable/c/1922468a4a80424e5a69f7ba50adcee37f4722e9"}, {"url": "https://git.kernel.org/stable/c/aa14451fa5d5f2de919384c637e2a8c604e1a1fe"}, {"url": "https://git.kernel.org/stable/c/19bc5f2a6962dfaa0e32d0e0bc2271993d85d414"}], "title": "scsi: qla2xxx: Sanitize payload size to prevent member overflow", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Sanitize payload size to prevent member overflow\n\nIn qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_size\nreported by firmware is used to calculate the copy length into\nitem->iocb. However, the iocb member is defined as a fixed-size 64-byte\narray within struct purex_item.\n\nIf the reported frame_size exceeds 64 bytes, subsequent memcpy calls will\noverflow the iocb member boundary. While extra memory might be allocated,\nthis cross-member write is unsafe and triggers warnings under\nCONFIG_FORTIFY_SOURCE.\n\nFix this by capping total_bytes to the size of the iocb member (64 bytes)\nbefore allocation and copying. This ensures all copies remain within the\nbounds of the destination structure member."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nscsi: qla2xxx: Sanitizar el tama\u00f1o de la carga \u00fatil para prevenir el desbordamiento de miembro\n\nEn qla27xx_copy_fpin_pkt() y qla27xx_copy_multiple_pkt(), el frame_size reportado por el firmware se utiliza para calcular la longitud de la copia en item->iocb. Sin embargo, el miembro iocb se define como un array de tama\u00f1o fijo de 64 bytes dentro de la estructura purex_item.\n\nSi el frame_size reportado excede los 64 bytes, las llamadas subsiguientes a memcpy desbordar\u00e1n el l\u00edmite del miembro iocb. Aunque se podr\u00eda asignar memoria adicional, esta escritura entre miembros es insegura y activa advertencias bajo CONFIG_FORTIFY_SOURCE.\n\nSolucione esto limitando total_bytes al tama\u00f1o del miembro iocb (64 bytes) antes de la asignaci\u00f3n y la copia. Esto asegura que todas las copias permanezcan dentro de los l\u00edmites del miembro de la estructura de destino."}], "id": "CVE-2026-23059", "lastModified": "2026-04-15T00:35:42.020", "metrics": {}, "published": "2026-02-04T17:16:16.583", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1922468a4a80424e5a69f7ba50adcee37f4722e9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/19bc5f2a6962dfaa0e32d0e0bc2271993d85d414"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/408bfa8d70f79ac696cec1bdbdfb3bf43a02e6d0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/aa14451fa5d5f2de919384c637e2a8c604e1a1fe"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "kernel: scsi: qla2xxx: Sanitize payload size to prevent member overflow", "id": "2436777", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436777"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23059", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23059\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23059\nhttps://lore.kernel.org/linux-cve-announce/2026020414-CVE-2026-23059-152f@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-17T23:43:34.966944+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version containing the fix that caps the copy length at 64 bytes, as referenced by the commit IDs linked in the advisory.", "If an updated kernel is not available, remove or disable the qla2xxx driver or disconnect the QLogic SCSI hardware to eliminate the vulnerable code path.", "Enable kernel hardening options such as CONFIG_FORTIFY_SOURCE to add bounds checking to vulnerable functions as a temporary precaution."], "summary": {"action": "Immediate Patch", "impact": "Kernel memory corruption leading to privilege escalation"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include the qla2xxx SCSI driver and the qla27xx subnet modules before the patch. The affected vendor is the Linux community and the kernel maintainer for the qla2xxx driver. The patch references commit identifiers that address the buffer overflow. Users of QLogic SCSI devices running an unpatched kernel are affected.", "description_and_impact": "This vulnerability occurs when the qla2xxx driver copies a firmware\u2011reported frame size into a fixed\u2011size 64\u2011byte buffer without validating the size. If the firmware reports a value larger than 64 bytes, the driver performs a memcpy that writes past the array boundary. The write corrupts adjacent memory in kernel space, which can be leveraged to execute arbitrary code or crash the system. The impact can be escalation of privileges from a local user to root, denial of service, or potential remote compromise if the attacker can control device firmware or messages.", "risk_and_exploitability": "The CVSS score of 7.0 indicates a high severity vulnerability. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, but the absence of a KEV list does not guarantee that no exploits exist. The overflow occurs in kernel mode, so exploitation requires a local attacker who can communicate with the QLogic device or send malformed firmware data. With this boundary check missing, an attacker can craft a payload that triggers the overflow, potentially leading to arbitrary kernel code execution or system crash. Given the kernel\u2019s privileged context, the impact is severe if successfully exploited."}}}}, "created": "2026-04-17T23:45:25.813976+00:00", "updated": "2026-04-17T23:45:25.813986+00:00", "vendors": [], "weaknesses": ["CWE-119", "CWE-188"]}