CVE-2026-46128
Description
In the Linux kernel, the following vulnerability has been resolved:
ipmi: Check event message buffer response for bad data
The event message buffer response data size got checked later when processing, but check it right after the response comes back. It appears some BMCs may return an empty message instead of an error when fetching events.
There are apparently some new BMCs that make this error, so we need to compensate.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IPMI event message buffer response is not validated early, allowing empty responses from certain BMCs to cause undefined behavior.
Vulnerability
The Linux kernel IPMI (Intelligent Platform Management Interface) subsystem, in versions prior to the fix commit 24269264c3d59a49eb09b10af2c75b14f2931482, fails to properly validate the response data of event message buffer commands. The response size is checked only later during processing, not immediately after the response is received. Certain BMCs may return an empty message instead of an error when fetching events, leading to potential handling of invalid data [1].
Exploitation
An attacker who can interact with a vulnerable BMC (e.g., via local access or network if IPMI is exposed) could craft or trigger the BMC to return an empty event message buffer response. No authentication is specified as required, but the attacker must be able to send IPMI commands to the BMC. The kernel driver then processes this malformed response without immediate size validation, which may lead to buffer over-reads or other memory corruption issues [1].
Impact
Successful exploitation could result in information disclosure (reading kernel memory beyond the intended buffer) or potentially system crashes/denial of service. The exact privilege escalation is not detailed, but memory corruption in kernel space may lead to arbitrary code execution. The impact depends on the specific kernel version and memory layout [1].
Mitigation
A fix was committed to the Linux kernel stable tree with commit 24269264c3d59a49eb09b10af2c75b14f2931482. Users should update their kernel to a version containing this commit or apply the patch from the kernel stable repository. No workaround is mentioned, and the CVE is not listed on CISA KEV as of the available references [1].
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
102418e4b21fb1ipmi: Check event message buffer response for bad data
2 files changed · +14 −4
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index 3db6df94ebe79b..6b908586f0f0e1 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -625,7 +625,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index 3db6df94ebe79b..6b908586f0f0e1 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -625,7 +625,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
7f7ada72c07aipmi: Check event message buffer response for bad data
2 files changed · +14 −4
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index a3eca46ca0abca..ab99f35c3f6083 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -625,7 +625,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index a3eca46ca0abca..ab99f35c3f6083 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -625,7 +625,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
42432b579a59ipmi: Check event message buffer response for bad data
2 files changed · +14 −4
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index f67b7ffe1050c5..565167e0b71634 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -642,7 +642,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index f67b7ffe1050c5..565167e0b71634 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -642,7 +642,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
24269264c3d5ipmi: Check event message buffer response for bad data
2 files changed · +14 −4
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index c4f746b3c46041..7c3c463e08da25 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -641,7 +641,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index c4f746b3c46041..7c3c463e08da25 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -641,7 +641,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
36920f30e78eipmi: Check event message buffer response for bad data
2 files changed · +14 −4
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index 4a9e9de4d684f9..08c208cc64c56b 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -630,7 +630,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index 4a9e9de4d684f9..08c208cc64c56b 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -630,7 +630,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
7f7ada72c07aipmi: Check event message buffer response for bad data
2 files changed · +14 −4
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index a3eca46ca0abca..ab99f35c3f6083 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -625,7 +625,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index a3eca46ca0abca..ab99f35c3f6083 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -625,7 +625,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
36920f30e78eipmi: Check event message buffer response for bad data
2 files changed · +14 −4
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index 4a9e9de4d684f9..08c208cc64c56b 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -630,7 +630,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index 4a9e9de4d684f9..08c208cc64c56b 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -630,7 +630,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
2418e4b21fb1ipmi: Check event message buffer response for bad data
2 files changed · +14 −4
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index 3db6df94ebe79b..6b908586f0f0e1 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -625,7 +625,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index 3db6df94ebe79b..6b908586f0f0e1 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -625,7 +625,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
42432b579a59ipmi: Check event message buffer response for bad data
2 files changed · +14 −4
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index f67b7ffe1050c5..565167e0b71634 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -642,7 +642,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index f67b7ffe1050c5..565167e0b71634 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -642,7 +642,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
24269264c3d5ipmi: Check event message buffer response for bad data
2 files changed · +14 −4
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index c4f746b3c46041..7c3c463e08da25 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -641,7 +641,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
drivers/char/ipmi/ipmi_si_intf.c+7 −2 modifieddiff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index c4f746b3c46041..7c3c463e08da25 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -641,7 +641,13 @@ static void handle_transaction_done(struct smi_info *smi_info) */ msg = smi_info->curr_msg; smi_info->curr_msg = NULL; - if (msg->rsp[2] != 0) { + /* + * It appears some BMCs, with no event data, return no + * data in the message and not a 0x80 error as the + * spec says they should. Shut down processing if + * the data is not the right length. + */ + if (msg->rsp[2] != 0 || msg->rsp_size != 19) { /* Error getting event, probably done. */ msg->done(msg); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing response-size validation in `handle_transaction_done` allows undersized BMC responses to be treated as valid events."
Attack vector
An attacker with control over a BMC (Baseboard Management Controller) connected to the host can send a malformed response to an IPMI "Get SEL Time" or "Reserve SEL" or similar event-fetching command. Instead of returning a proper 19-byte response with a non-zero completion code in `rsp[2]`, the BMC returns a response with `rsp_size` not equal to 19 and `rsp[2]` equal to 0. The original code only checked `rsp[2] != 0`, so it treated the undersized response as a valid event and passed it to later processing, which could lead to undefined behavior or incorrect state transitions.
Affected code
The vulnerability is in the `handle_transaction_done` function within `drivers/char/ipmi/ipmi_si_intf.c` [patch_id=2898463]. The function processes the response from an IPMI event message buffer read command.
What the fix does
The patch adds a second condition to the error check in `handle_transaction_done`: `msg->rsp_size != 19` is OR'd with the existing `msg->rsp[2] != 0` check [patch_id=2898463]. This ensures that if the response data length is not exactly 19 bytes (the expected size for a valid event message buffer response), the message is treated as an error and processing is shut down via `msg->done(msg)`. The fix compensates for BMCs that return an empty or undersized message instead of the spec-mandated 0x80 error completion code.
Preconditions
- configThe system must have an IPMI interface managed by the ipmi_si driver.
- inputA BMC (or emulated BMC) must be present that returns malformed event message buffer responses (empty or wrong-length messages with rsp[2]==0).
- networkThe attacker must be able to influence the BMC's response to the IPMI event fetch command.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/2418e4b21fb1355504d095da5d5f0a210564a43dnvd
- git.kernel.org/stable/c/24269264c3d59a49eb09b10af2c75b14f2931482nvd
- git.kernel.org/stable/c/36920f30e78e69df01f9691c470b6f3ba8aebf98nvd
- git.kernel.org/stable/c/42432b579a594b66ac32e5e7b7c26e6bc578ec89nvd
- git.kernel.org/stable/c/7f7ada72c07a83b46045ddfeee526bd9e2e3c8f0nvd
News mentions
0No linked articles in our index yet.