VYPR
← All advisories
Unrated severityNVD Advisory· Published May 28, 2026

CVE-2026-46108

CVE-2026-46108

Description

In the Linux kernel, the following vulnerability has been resolved:

ipmi:si: Return state to normal if message allocation fails

There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel IPMI driver (ipmi_si), failure to allocate messages can leave the driver in a non-functional state, requiring a return to normal operation.

Vulnerability

In the Linux kernel IPMI driver (ipmi_si), when memory allocation for a message fails, the driver does not properly transition back to its normal operational state. This affects kernel versions prior to the commit [1].

Exploitation

An attacker with local access or ability to trigger conditions causing memory pressure could induce message allocation failures. The exact sequence is not detailed, but the driver enters a state where no operation starts.

Impact

Successful exploitation can lead to a denial of service of IPMI functionality, as the driver fails to return to normal operation.

Mitigation

Fixed in commit [1]; users should update to a kernel version containing this commit or apply the patch. No known workarounds are available.

References
  1. Making sure you're not a bot!

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

10
09dd798270ff

ipmi:si: Return state to normal if message allocation fails

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitCorey MinyardApr 20, 2026Fixed in 7.1-rc3via kernel-cna
commit
1 file changed · +6 3
  • drivers/char/ipmi/ipmi_si_intf.c+6 3 modified
    diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
index 7c3c463e08da25..9a9d12be9bf743 100644
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -497,15 +497,19 @@ retry:
 	} else if (smi_info->msg_flags & RECEIVE_MSG_AVAIL) {
 		/* Messages available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_msg_queue(smi_info);
 	} else if (smi_info->msg_flags & EVENT_MSG_BUFFER_FULL) {
 		/* Events available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_events(smi_info);
 	} else if (smi_info->msg_flags & OEM_DATA_AVAIL &&
-- 
cgit 1.3-korg
ce905b65e649

ipmi:si: Return state to normal if message allocation fails

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitCorey MinyardApr 20, 2026Fixed in 6.6.140via kernel-cna
commit
1 file changed · +6 3
  • drivers/char/ipmi/ipmi_si_intf.c+6 3 modified
    diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
index 6b908586f0f0e1..0b2c8c4a78a3fe 100644
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -481,15 +481,19 @@ retry:
 	} else if (smi_info->msg_flags & RECEIVE_MSG_AVAIL) {
 		/* Messages available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_msg_queue(smi_info);
 	} else if (smi_info->msg_flags & EVENT_MSG_BUFFER_FULL) {
 		/* Events available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_events(smi_info);
 	} else if (smi_info->msg_flags & OEM_DATA_AVAIL &&
-- 
cgit 1.3-korg
88881dc1da86

ipmi:si: Return state to normal if message allocation fails

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitCorey MinyardApr 20, 2026Fixed in 6.12.88via kernel-cna
commit
1 file changed · +6 3
  • drivers/char/ipmi/ipmi_si_intf.c+6 3 modified
    diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
index ab99f35c3f6083..2beec30fbc5791 100644
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -481,15 +481,19 @@ retry:
 	} else if (smi_info->msg_flags & RECEIVE_MSG_AVAIL) {
 		/* Messages available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_msg_queue(smi_info);
 	} else if (smi_info->msg_flags & EVENT_MSG_BUFFER_FULL) {
 		/* Events available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_events(smi_info);
 	} else if (smi_info->msg_flags & OEM_DATA_AVAIL &&
-- 
cgit 1.3-korg
ba60140d4133

ipmi:si: Return state to normal if message allocation fails

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitCorey MinyardApr 20, 2026Fixed in 7.0.7via kernel-cna
commit
1 file changed · +6 3
  • drivers/char/ipmi/ipmi_si_intf.c+6 3 modified
    diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
index 7c3c463e08da25..9a9d12be9bf743 100644
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -497,15 +497,19 @@ retry:
 	} else if (smi_info->msg_flags & RECEIVE_MSG_AVAIL) {
 		/* Messages available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_msg_queue(smi_info);
 	} else if (smi_info->msg_flags & EVENT_MSG_BUFFER_FULL) {
 		/* Events available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_events(smi_info);
 	} else if (smi_info->msg_flags & OEM_DATA_AVAIL &&
-- 
cgit 1.3-korg
bc13fce9eeec

ipmi:si: Return state to normal if message allocation fails

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitCorey MinyardApr 20, 2026Fixed in 6.18.30via kernel-cna
commit
1 file changed · +6 3
  • drivers/char/ipmi/ipmi_si_intf.c+6 3 modified
    diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
index 565167e0b71634..89af403fd99440 100644
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -498,15 +498,19 @@ retry:
 	} else if (smi_info->msg_flags & RECEIVE_MSG_AVAIL) {
 		/* Messages available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_msg_queue(smi_info);
 	} else if (smi_info->msg_flags & EVENT_MSG_BUFFER_FULL) {
 		/* Events available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_events(smi_info);
 	} else if (smi_info->msg_flags & OEM_DATA_AVAIL &&
-- 
cgit 1.3-korg
bc13fce9eeec

ipmi:si: Return state to normal if message allocation fails

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitCorey MinyardApr 20, 2026via nvd-ref
commit
1 file changed · +6 3
  • drivers/char/ipmi/ipmi_si_intf.c+6 3 modified
    diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
index 565167e0b71634..89af403fd99440 100644
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -498,15 +498,19 @@ retry:
 	} else if (smi_info->msg_flags & RECEIVE_MSG_AVAIL) {
 		/* Messages available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_msg_queue(smi_info);
 	} else if (smi_info->msg_flags & EVENT_MSG_BUFFER_FULL) {
 		/* Events available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_events(smi_info);
 	} else if (smi_info->msg_flags & OEM_DATA_AVAIL &&
-- 
cgit 1.3-korg
ce905b65e649

ipmi:si: Return state to normal if message allocation fails

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitCorey MinyardApr 20, 2026via nvd-ref
commit
1 file changed · +6 3
  • drivers/char/ipmi/ipmi_si_intf.c+6 3 modified
    diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
index 6b908586f0f0e1..0b2c8c4a78a3fe 100644
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -481,15 +481,19 @@ retry:
 	} else if (smi_info->msg_flags & RECEIVE_MSG_AVAIL) {
 		/* Messages available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_msg_queue(smi_info);
 	} else if (smi_info->msg_flags & EVENT_MSG_BUFFER_FULL) {
 		/* Events available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_events(smi_info);
 	} else if (smi_info->msg_flags & OEM_DATA_AVAIL &&
-- 
cgit 1.3-korg
09dd798270ff

ipmi:si: Return state to normal if message allocation fails

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitCorey MinyardApr 20, 2026via nvd-ref
commit
1 file changed · +6 3
  • drivers/char/ipmi/ipmi_si_intf.c+6 3 modified
    diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
index 7c3c463e08da25..9a9d12be9bf743 100644
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -497,15 +497,19 @@ retry:
 	} else if (smi_info->msg_flags & RECEIVE_MSG_AVAIL) {
 		/* Messages available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_msg_queue(smi_info);
 	} else if (smi_info->msg_flags & EVENT_MSG_BUFFER_FULL) {
 		/* Events available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_events(smi_info);
 	} else if (smi_info->msg_flags & OEM_DATA_AVAIL &&
-- 
cgit 1.3-korg
88881dc1da86

ipmi:si: Return state to normal if message allocation fails

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitCorey MinyardApr 20, 2026via nvd-ref
commit
1 file changed · +6 3
  • drivers/char/ipmi/ipmi_si_intf.c+6 3 modified
    diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
index ab99f35c3f6083..2beec30fbc5791 100644
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -481,15 +481,19 @@ retry:
 	} else if (smi_info->msg_flags & RECEIVE_MSG_AVAIL) {
 		/* Messages available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_msg_queue(smi_info);
 	} else if (smi_info->msg_flags & EVENT_MSG_BUFFER_FULL) {
 		/* Events available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_events(smi_info);
 	} else if (smi_info->msg_flags & OEM_DATA_AVAIL &&
-- 
cgit 1.3-korg
ba60140d4133

ipmi:si: Return state to normal if message allocation fails

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitCorey MinyardApr 20, 2026via nvd-ref
commit
1 file changed · +6 3
  • drivers/char/ipmi/ipmi_si_intf.c+6 3 modified
    diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
index 7c3c463e08da25..9a9d12be9bf743 100644
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -497,15 +497,19 @@ retry:
 	} else if (smi_info->msg_flags & RECEIVE_MSG_AVAIL) {
 		/* Messages available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_msg_queue(smi_info);
 	} else if (smi_info->msg_flags & EVENT_MSG_BUFFER_FULL) {
 		/* Events available. */
 		smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
-		if (!smi_info->curr_msg)
+		if (!smi_info->curr_msg) {
+			smi_info->si_state = SI_NORMAL;
 			return;
+		}
 
 		start_getting_events(smi_info);
 	} else if (smi_info->msg_flags & OEM_DATA_AVAIL &&
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing state reset on memory allocation failure leaves the IPMI SI state machine stuck in an intermediate state."

Attack vector

An attacker who can trigger memory pressure on the system (e.g., by exhausting memory) can cause `alloc_msg_handle_irq()` to fail inside the IPMI SI driver's interrupt handler. When the allocation fails in the `RECEIVE_MSG_AVAIL` or `EVENT_MSG_BUFFER_FULL` branches, the driver previously returned without resetting `smi_info->si_state` from its current non-normal state. This leaves the state machine stuck, preventing subsequent IPMI message processing from starting. No special network path or authentication is required beyond the ability to induce memory allocation failures on the host.

Affected code

The vulnerability is in `drivers/char/ipmi/ipmi_si_intf.c` in the `retry` label's state machine logic. The two code paths that handle `RECEIVE_MSG_AVAIL` and `EVENT_MSG_BUFFER_FULL` flags call `alloc_msg_handle_irq()` but, on allocation failure, returned without resetting `smi_info->si_state`, leaving the driver in an intermediate state.

What the fix does

The patch adds `smi_info->si_state = SI_NORMAL;` before the `return` statement in both the `RECEIVE_MSG_AVAIL` and `EVENT_MSG_BUFFER_FULL` failure paths [patch_id=2898646]. Previously, when `alloc_msg_handle_irq()` returned NULL, the function simply returned without updating `si_state`, leaving the state machine in whatever intermediate state it was in (e.g., `SI_GETTING_MESSAGES` or `SI_GETTING_EVENTS`). By resetting to `SI_NORMAL`, the driver can retry the operation on the next interrupt, preventing a permanent stall of IPMI message handling.

Preconditions

  • inputMemory pressure sufficient to cause kmalloc (or similar) failure inside alloc_msg_handle_irq()
  • configIPMI SI driver must be active and handling interrupts on the system

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.