CVE-2026-53176

In the Linux kernel, the following vulnerability has been resolved:

IB/isert: Reject login PDUs shorter than ISER HEADERS LEN

In drivers/infiniband/ulp/isert/ib isert.c, isert login recv done() computes the login request payload length as wc->byte len minus ISER HEADERS LEN with no lower bound, and login req len is a signed int. A remote iSER initiator can post a login Send work request carrying fewer than ISER HEADERS LEN (76) bytes, so the subtraction underflows and login req len becomes negative.

isert rx login req() then reads that negative length back into a signed int, takes size = min(rx buflen, MAX KEY VALUE PAIRS), and because the min() is signed it keeps the negative value; the value is then passed as the memcpy() length and sign-extended to a multi-gigabyte size t. The copy into the 8192-byte login->req buf runs far out of bounds and faults, crashing the target node. The login phase precedes iSCSI authentication, so no credentials are required to reach this path.

Reject any login PDU shorter than ISER HEADERS LEN before the subtraction, mirroring the existing early return on a failed work completion, so login req len can never go negative. The upper bound was already safe: a posted login buffer cannot deliver more than ISER RX PAYLOAD SIZE, so the difference stays at or below MAX KEY VALUE PAIRS and the existing min() clamps it; only the missing lower bound needs to be added.