CVE-2026-53186

Source
https://cve.org/CVERecord?id=CVE-2026-53186
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53186.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53186
Downstream
Related
Published
2026-06-25T08:38:59.508Z
Modified
2026-07-08T08:07:23.801570339Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
Summary
RDMA/srp: bound SRP_RSP sense copy by the received length
Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/srp: bound SRP_RSP sense copy by the received length

srpprocessrsp() copies sense data from rsp->data + respdatalen, where respdatalen is the full 32-bit value supplied by the SRP target and is never checked against the number of bytes actually received (wc->bytelen). The copy length is bounded to SCSISENSE_BUFFERSIZE, so at most 96 bytes are copied, but the source offset is not bounded.

A malicious or compromised SRP target on the InfiniBand/RoCE fabric that the initiator has logged into can return an SRPRSP with SRPRSPFLAGSNSVALID set and a large respdatalen. The receive buffer is allocated at the target-chosen maxtiiulen, so the source of the sense copy lands past the bytes actually received; with respdata_len near 0xFFFFFFFF it is gigabytes past the buffer and the read faults.

Copy the sense data only if it has not been truncated, that is, only if the response header, the response data, and the sense region fit within the bytes actually received; otherwise drop the sense and log. The in-tree iSER and NVMe-RDMA receive paths already bound their parse by wc->bytelen; this brings ibsrp into line with them.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53186.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
aef9ec39c47f0cece886ddd6b53c440321e0b2a6
Fixed
3889517c2ec7f364914aea8209abfff735f7ecde
Fixed
ed77cc819ad631264787cade5ae5ec4c535ec6bb
Fixed
0b9ee09d5e849591f17d98c078033dadea967293
Fixed
0d64bc200ebe4f275b27438c6e593903e0b16fe1
Fixed
2015038195939eac54a1ee83c9d98ef1a8ccbbce
Fixed
f92a285db7ff6e598591ccbfb551be155c5f4d57
Fixed
3523e53ff95f1837ec3f57ff7558532bcb2661b7
Fixed
13e91fd076306f5d0cdfa14f53d69e37274723c4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53186.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.15
Fixed
5.10.259
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.210
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.176
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.143
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53186.json"