In the Linux kernel, the following vulnerability has been resolved:
IB/isert: Reject login PDUs shorter than ISERHEADERSLEN
In drivers/infiniband/ulp/isert/ibisert.c, isertloginrecvdone() computes the login request payload length as wc->bytelen minus ISERHEADERSLEN with no lower bound, and loginreqlen is a signed int. A remote iSER initiator can post a login Send work request carrying fewer than ISERHEADERSLEN (76) bytes, so the subtraction underflows and loginreq_len becomes negative.
isertrxloginreq() then reads that negative length back into a signed int, takes size = min(rxbuflen, MAXKEYVALUEPAIRS), and because the min() is signed it keeps the negative value; the value is then passed as the memcpy() length and sign-extended to a multi-gigabyte sizet. The copy into the 8192-byte login->req_buf runs far out of bounds and faults, crashing the target node. The login phase precedes iSCSI authentication, so no credentials are required to reach this path.
Reject any login PDU shorter than ISERHEADERSLEN before the subtraction, mirroring the existing early return on a failed work completion, so loginreqlen can never go negative. The upper bound was already safe: a posted login buffer cannot deliver more than ISERRXPAYLOADSIZE, so the difference stays at or below MAXKEYVALUEPAIRS and the existing min() clamps it; only the missing lower bound needs to be added.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53176.json",
"cna_assigner": "Linux"
}