{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46149", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.101Z", "datePublished": "2026-05-28T09:36:05.706Z", "dateUpdated": "2026-05-28T09:36:05.706Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-28T09:36:05.706Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()\n\ntarget_tg_pt_gp_members_show() formats LUN paths with snprintf() into a\n256-byte stack buffer, then will memcpy() cur_len bytes from that\nbuffer. snprintf() returns the length the output would have had, which\ncan exceed the buffer size when the fabric WWN is long because iSCSI IQN\nnames can be up to 223 bytes. The check at the memcpy() site only\nguards the destination page write, not the source read, so memcpy() will\nread past the stack buffer and copy adjacent stack contents to the sysfs\nreader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic()\nwill be triggered.\n\nCommit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length\ncheck to avoid buffer overflow\") added the same bound to the\ntarget_lu_gp_members_show() but the tg_pt_gp variant was missed so\nresolve that here."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/target/target_core_configfs.c"], "versions": [{"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5", "lessThan": "1f678d13e939f91840cb1ebe9b88544923539d3c", "status": "affected", "versionType": "git"}, {"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5", "lessThan": "72cc5ea7ef32bb5fa38bf0dd2e56fcd73aa8c89e", "status": "affected", "versionType": "git"}, {"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5", "lessThan": "00d91bfdce5033f5d9b4915638ae9b0553848b5d", "status": "affected", "versionType": "git"}, {"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5", "lessThan": "e501154f9d82c95d2719bcbbaf679d8fd3226ef7", "status": "affected", "versionType": "git"}, {"version": "c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5", "lessThan": "772a896a56e0e3ef9424a025cec9176f9d8f4552", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/target/target_core_configfs.c"], "versions": [{"version": "2.6.38", "status": "affected"}, {"version": "0", "lessThan": "2.6.38", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.140", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.88", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.30", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.7", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.38", "versionEndExcluding": "6.6.140"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.38", "versionEndExcluding": "6.12.88"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.38", "versionEndExcluding": "6.18.30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.38", "versionEndExcluding": "7.0.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.38", "versionEndExcluding": "7.1-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1f678d13e939f91840cb1ebe9b88544923539d3c"}, {"url": "https://git.kernel.org/stable/c/72cc5ea7ef32bb5fa38bf0dd2e56fcd73aa8c89e"}, {"url": "https://git.kernel.org/stable/c/00d91bfdce5033f5d9b4915638ae9b0553848b5d"}, {"url": "https://git.kernel.org/stable/c/e501154f9d82c95d2719bcbbaf679d8fd3226ef7"}, {"url": "https://git.kernel.org/stable/c/772a896a56e0e3ef9424a025cec9176f9d8f4552"}], "title": "scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()\n\ntarget_tg_pt_gp_members_show() formats LUN paths with snprintf() into a\n256-byte stack buffer, then will memcpy() cur_len bytes from that\nbuffer. snprintf() returns the length the output would have had, which\ncan exceed the buffer size when the fabric WWN is long because iSCSI IQN\nnames can be up to 223 bytes. The check at the memcpy() site only\nguards the destination page write, not the source read, so memcpy() will\nread past the stack buffer and copy adjacent stack contents to the sysfs\nreader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic()\nwill be triggered.\n\nCommit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length\ncheck to avoid buffer overflow\") added the same bound to the\ntarget_lu_gp_members_show() but the tg_pt_gp variant was missed so\nresolve that here."}], "id": "CVE-2026-46149", "lastModified": "2026-05-28T10:16:30.513", "metrics": {}, "published": "2026-05-28T10:16:30.513", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/00d91bfdce5033f5d9b4915638ae9b0553848b5d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1f678d13e939f91840cb1ebe9b88544923539d3c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/72cc5ea7ef32bb5fa38bf0dd2e56fcd73aa8c89e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/772a896a56e0e3ef9424a025cec9176f9d8f4552"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e501154f9d82c95d2719bcbbaf679d8fd3226ef7"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"created": "2026-05-28T11:45:16.112355+00:00", "updated": "2026-05-28T11:45:16.112366+00:00", "vendors": [], "weaknesses": ["CWE-119"]}