VYPR
← All advisories
High severity7.5NVD Advisory· Published May 1, 2026· Updated May 7, 2026

CVE-2026-43055

CVE-2026-43055

Description

In the Linux kernel, the following vulnerability has been resolved:

scsi: target: file: Use kzalloc_flex for aio_cmd

The target_core_file doesn't initialize the aio_cmd->iocb for the ki_write_stream. When a write command fd_execute_rw_aio() is executed, we may get a bogus ki_write_stream value, causing unintended write failure status when checking iocb->ki_write_stream > max_write_streams in the block device.

Let's just use kzalloc_flex when allocating the aio_cmd and let ki_write_stream=0 to fix this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's target_core_file, uninitialized memory in aio_cmd->iocb can cause bogus ki_write_stream values, leading to unintended write failures.

Vulnerability

Overview

The Linux kernel's SCSI target subsystem, in the target_core_file module, contains an uninitialized memory vulnerability affecting asynchronous I/O (AIO) write operations. When executing a write command via fd_execute_rw_aio(), the aio_cmd->iocb structure is allocated without proper initialization. Specifically, the ki_write_stream field may retain a bogus value from uninitialized memory.

Exploitation

Mechanism

During a write operation, the block layer checks iocb->ki_write_stream against max_write_streams. An uninitialized ki_write_stream can exceed this limit, causing the kernel to incorrectly flag the write as exceeding stream limits. This results in an unintended -EIO or similar write failure status being returned to the caller. No authentication is required to trigger this; any process able to issue SCSI commands through the target layer can potentially trigger the condition.

Impact

An attacker able to issue write commands through the SCSI target file backend could cause legitimate write I/O to fail, leading to data loss or corruption. Repeated exploitation may result in persistent denial of service against storage targets. The CVSS v3 base score of 7.5 (High) reflects the potential for disruption without high privileges or user interaction.

Mitigation

The fix was committed to the Linux kernel stable trees. The patch replaces the plain allocation with kzalloc_flex, ensuring ki_write_stream is zeroed, thus preventing the uninitialized memory issue [1][2][3]. Users should update to a kernel version containing the respective stable commits. No workaround is known for unpatched kernels.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

7
  • Linux/Kernelinferred7 versions
    (expand)+ 6 more
    • (no CPE)
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.16,<6.18.22
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

News mentions

0

No linked articles in our index yet.