CVE-2026-46064

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 7.0.11-1.1

Description A heap over-read exists in the ibmasm send i2o message() function. The function utilizes get dot command size() to determine the byte count for memcpy toio(), but this value is based on user-controlled fields within the dot command header (command size and data size) and is not validated against the actual allocation size. A root user can provide a small buffer with inflated header fields, causing memcpy toio() to read up to approximately 65 KB beyond the allocation into the adjacent kernel heap, which is then sent to the service processor via Memory Mapped I/O (MMIO), a method of accessing hardware registers. To prevent service processor desynchronization and the leaking of I2O message frames, the command size must be validated and clamped to I2O COMMAND SIZE before the memcpy toio() operation.

Recommendations Update to version 7.0.11-1.1.