{"api_version":"1","generated_at":"2026-05-30T17:58:32+00:00","cve":"CVE-2026-46149","urls":{"html":"https://cve.report/CVE-2026-46149","api":"https://cve.report/api/cve/CVE-2026-46149.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-46149","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-46149"},"summary":{"title":"scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()\n\ntarget_tg_pt_gp_members_show() formats LUN paths with snprintf() into a\n256-byte stack buffer, then will memcpy() cur_len bytes from that\nbuffer.  snprintf() returns the length the output would have had, which\ncan exceed the buffer size when the fabric WWN is long because iSCSI IQN\nnames can be up to 223 bytes.  The check at the memcpy() site only\nguards the destination page write, not the source read, so memcpy() will\nread past the stack buffer and copy adjacent stack contents to the sysfs\nreader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic()\nwill be triggered.\n\nCommit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length\ncheck to avoid buffer overflow\") added the same bound to the\ntarget_lu_gp_members_show() but the tg_pt_gp variant was missed so\nresolve that here.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-28 10:16:30","updated_at":"2026-05-30 11:17:23"},"problem_types":[],"metrics":[{"version":"3.1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","data":{"baseScore":7.1,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","version":"3.1"}}],"references":[{"url":"https://git.kernel.org/stable/c/72cc5ea7ef32bb5fa38bf0dd2e56fcd73aa8c89e","name":"https://git.kernel.org/stable/c/72cc5ea7ef32bb5fa38bf0dd2e56fcd73aa8c89e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/772a896a56e0e3ef9424a025cec9176f9d8f4552","name":"https://git.kernel.org/stable/c/772a896a56e0e3ef9424a025cec9176f9d8f4552","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/1f678d13e939f91840cb1ebe9b88544923539d3c","name":"https://git.kernel.org/stable/c/1f678d13e939f91840cb1ebe9b88544923539d3c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/00d91bfdce5033f5d9b4915638ae9b0553848b5d","name":"https://git.kernel.org/stable/c/00d91bfdce5033f5d9b4915638ae9b0553848b5d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/e501154f9d82c95d2719bcbbaf679d8fd3226ef7","name":"https://git.kernel.org/stable/c/e501154f9d82c95d2719bcbbaf679d8fd3226ef7","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-46149","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46149","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 1f678d13e939f91840cb1ebe9b88544923539d3c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 72cc5ea7ef32bb5fa38bf0dd2e56fcd73aa8c89e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 00d91bfdce5033f5d9b4915638ae9b0553848b5d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 e501154f9d82c95d2719bcbbaf679d8fd3226ef7 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5 772a896a56e0e3ef9424a025cec9176f9d8f4552 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2.6.38","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 2.6.38 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.140 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.88 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.30 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.7 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1-rc3 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"46149","cve":"CVE-2026-46149","epss":"0.000180000","percentile":"0.051640000","score_date":"2026-05-29","updated_at":"2026-05-30 00:13:24"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/target/target_core_configfs.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"1f678d13e939f91840cb1ebe9b88544923539d3c","status":"affected","version":"c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5","versionType":"git"},{"lessThan":"72cc5ea7ef32bb5fa38bf0dd2e56fcd73aa8c89e","status":"affected","version":"c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5","versionType":"git"},{"lessThan":"00d91bfdce5033f5d9b4915638ae9b0553848b5d","status":"affected","version":"c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5","versionType":"git"},{"lessThan":"e501154f9d82c95d2719bcbbaf679d8fd3226ef7","status":"affected","version":"c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5","versionType":"git"},{"lessThan":"772a896a56e0e3ef9424a025cec9176f9d8f4552","status":"affected","version":"c66ac9db8d4ad9994a02b3e933ea2ccc643e1fe5","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/target/target_core_configfs.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"2.6.38"},{"lessThan":"2.6.38","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.140","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.88","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.30","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.7","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1-rc3","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.140","versionStartIncluding":"2.6.38","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.88","versionStartIncluding":"2.6.38","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.30","versionStartIncluding":"2.6.38","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.7","versionStartIncluding":"2.6.38","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1-rc3","versionStartIncluding":"2.6.38","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()\n\ntarget_tg_pt_gp_members_show() formats LUN paths with snprintf() into a\n256-byte stack buffer, then will memcpy() cur_len bytes from that\nbuffer.  snprintf() returns the length the output would have had, which\ncan exceed the buffer size when the fabric WWN is long because iSCSI IQN\nnames can be up to 223 bytes.  The check at the memcpy() site only\nguards the destination page write, not the source read, so memcpy() will\nread past the stack buffer and copy adjacent stack contents to the sysfs\nreader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic()\nwill be triggered.\n\nCommit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length\ncheck to avoid buffer overflow\") added the same bound to the\ntarget_lu_gp_members_show() but the tg_pt_gp variant was missed so\nresolve that here."}],"metrics":[{"cvssV3_1":{"baseScore":7.1,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","version":"3.1"}}],"providerMetadata":{"dateUpdated":"2026-05-30T10:48:20.045Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/1f678d13e939f91840cb1ebe9b88544923539d3c"},{"url":"https://git.kernel.org/stable/c/72cc5ea7ef32bb5fa38bf0dd2e56fcd73aa8c89e"},{"url":"https://git.kernel.org/stable/c/00d91bfdce5033f5d9b4915638ae9b0553848b5d"},{"url":"https://git.kernel.org/stable/c/e501154f9d82c95d2719bcbbaf679d8fd3226ef7"},{"url":"https://git.kernel.org/stable/c/772a896a56e0e3ef9424a025cec9176f9d8f4552"}],"title":"scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-46149","datePublished":"2026-05-28T09:36:05.706Z","dateReserved":"2026-05-13T15:03:33.101Z","dateUpdated":"2026-05-30T10:48:20.045Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-28 10:16:30","lastModifiedDate":"2026-05-30 11:17:23","problem_types":[],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"46149","Ordinal":"1","Title":"scsi: target: configfs: Bound snprintf() return in tg_pt_gp_memb","CVE":"CVE-2026-46149","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"46149","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()\n\ntarget_tg_pt_gp_members_show() formats LUN paths with snprintf() into a\n256-byte stack buffer, then will memcpy() cur_len bytes from that\nbuffer.  snprintf() returns the length the output would have had, which\ncan exceed the buffer size when the fabric WWN is long because iSCSI IQN\nnames can be up to 223 bytes.  The check at the memcpy() site only\nguards the destination page write, not the source read, so memcpy() will\nread past the stack buffer and copy adjacent stack contents to the sysfs\nreader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic()\nwill be triggered.\n\nCommit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length\ncheck to avoid buffer overflow\") added the same bound to the\ntarget_lu_gp_members_show() but the tg_pt_gp variant was missed so\nresolve that here.","Type":"Description","Title":"scsi: target: configfs: Bound snprintf() return in tg_pt_gp_memb"}]}}}