CVE-2025-39998
Description
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: target_core_configfs: Add length check to avoid buffer overflow
A buffer overflow arises from the usage of snprintf to write into the buffer "buf" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes).
snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev-> dev_group.cg_item) and a newline character, the total formatted string length may exceed the buffer size of 256 bytes.
Since snprintf() returns the total number of bytes that would have been written (the length of %s/%sn ), this value may exceed the buffer length (256 bytes) passed to memcpy(), this will ultimately cause function memcpy reporting a buffer overflow error.
An additional check of the return value of snprintf() can avoid this buffer overflow.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer overflow in the Linux kernel's SCSI target configfs (target_lu_gp_members_show) occurs when snprintf returns a length exceeding the buffer size, leading to a memcpy overflow.
Vulnerability
Analysis
The vulnerability resides in the target_lu_gp_members_show function in drivers/target/target_core_configfs.c. The function uses snprintf to write a formatted string (HBA name, slash, device name, newline) into a stack buffer buf of size LU_GROUP_NAME_BUF (256 bytes). While snprintf limits the number of bytes written to the buffer, it returns the total number of bytes that would have been written if the buffer were large enough. This returned length is subsequently passed to memcpy without validation, causing a buffer overflow when the concatenated string exceeds 256 bytes [1][2][3][4].
Exploitation
Triggering the overflow requires the ability to set long HBA or device names via the configfs interface. This typically demands privileged access (root or CAP_SYS_ADMIN) on the host system. The SCSI target subsystem is often used in storage environments; an attacker with local admin rights can craft names that produce an output longer than 256 bytes, leading to a write beyond the buffer bounds.
Impact
A buffer overflow can corrupt adjacent memory, potentially causing a denial of service (system crash) or, in more severe cases, enabling an attacker to elevate privileges or execute arbitrary code. The exact impact depends on the memory layout and protection mechanisms.
Mitigation
The fix adds a length check on the return value of snprintf and truncates the output accordingly. Patches have been applied to multiple stable kernel branches as referenced in [1][2][3][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
9e6eeee5dc0d9764a91e2fc96ddc79fba132be73fe0eefac3f03aa5e39da753c6351597e64b2922869495a150275831b727e06650a5eaVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- git.kernel.org/stable/c/27e06650a5eafe832a90fd2604f0c5e920857faenvd
- git.kernel.org/stable/c/4b292286949588bd2818e66ff102db278de8dd26nvd
- git.kernel.org/stable/c/53c6351597e6a17ec6619f6f060d54128cb9a187nvd
- git.kernel.org/stable/c/764a91e2fc9639e07aac93bc70e387e6b1e33084nvd
- git.kernel.org/stable/c/a150275831b765b0f1de8b8ff52ec5c6933ac15dnvd
- git.kernel.org/stable/c/ddc79fba132b807ff775467acceaf48b456e008bnvd
- git.kernel.org/stable/c/e6eeee5dc0d9221ff96d1b229b1d0222c8871b84nvd
- git.kernel.org/stable/c/e73fe0eefac3e15bf88fb5b4afae4c76215ee4d4nvd
- git.kernel.org/stable/c/f03aa5e39da7d045615b3951d2a6ca1d7132f881nvd
News mentions
0No linked articles in our index yet.