CVE-2026-23059

Vulnerability

Details

In the Linux kernel's qla2xxx SCSI driver, the functions qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt() process FPIN (Fabric Performance Impact Notification) frames. The firmware reports a frame_size value that is used to calculate the copy length into the item->iocb member, which is a fixed-size 64-byte array within the struct purex_item. If the reported frame_size exceeds 64 bytes, the subsequent memcpy call overflows the iocb boundary, writing into adjacent memory. This cross-member write is unsafe and triggers warnings under CONFIG_FORTIFY_SOURCE.

Exploitation

An attacker with control over the Fibre Channel fabric can send crafted FPIN frames with an oversized frame_size field. No authentication is required at the SCSI layer; the driver trusts the firmware-provided size. The vulnerability is triggered during normal FPIN event processing, making it accessible to any host connected to a malicious fabric.

Impact

Successful exploitation allows an attacker to corrupt kernel memory beyond the iocb array. This can lead to system instability, denial of service, or potentially arbitrary code execution in kernel context. The overflow is detectable under CONFIG_FORTIFY_SOURCE but remains exploitable without that protection.

Mitigation

The fix caps total_bytes to the size of the iocb member (64 bytes) before allocation and copying, ensuring all copies remain within bounds. The patch has been applied to the Linux kernel stable branches via commits [1] and [2]. Users should update to a kernel version containing these commits.