CVE-2026-23059 Overview
CVE-2026-23059 is a buffer overflow vulnerability in the Linux kernel's qla2xxx SCSI driver for QLogic Fibre Channel host bus adapters. The flaw resides in the qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt() functions, where firmware-reported frame_size values drive memcpy operations into a fixed 64-byte iocb member of struct purex_item. When firmware reports a frame_size greater than 64 bytes, the copy crosses the destination member boundary. The condition triggers CONFIG_FORTIFY_SOURCE warnings and represents an unsafe cross-member write inside kernel memory.
Critical Impact
Untrusted firmware input can overflow a fixed-size member in kernel memory, corrupting adjacent kernel data structures on systems using QLogic FC HBAs.
Affected Products
- Linux kernel versions containing the qla2xxx driver prior to the fix commits
- Systems running QLogic Fibre Channel host bus adapters using qla27xx_copy_fpin_pkt() or qla27xx_copy_multiple_pkt()
- Storage and SAN-attached Linux servers relying on the qla2xxx SCSI driver
Discovery Timeline
- 2026-02-04 - CVE-2026-23059 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-23059
Vulnerability Analysis
The qla2xxx driver processes Fabric Performance Impact Notification (FPIN) and multiple packet events received from QLogic Fibre Channel firmware. Both qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt() read a frame_size value supplied by firmware and use it to compute total_bytes for subsequent memcpy operations into item->iocb.
The destination iocb field is declared as a fixed 64-byte array inside struct purex_item. The driver did not validate that frame_size remained within this bound before copying. When firmware reported a frame_size larger than 64 bytes, the memcpy wrote beyond the array, producing a cross-member overflow into adjacent struct fields.
Kernels built with CONFIG_FORTIFY_SOURCE flag this pattern because compile-time and runtime size checks see writes exceeding the declared destination size. Even with extra heap allocation present, the write is unsafe because it corrupts the layout of struct purex_item.
Root Cause
The root cause is missing input validation on a firmware-supplied length field. The driver trusted frame_size and used it directly as the copy length, despite the destination being a fixed-size member. This is a classic boundary condition error leading to a heap buffer overflow inside a kernel structure.
Attack Vector
Exploitation requires the firmware path to deliver a frame_size value greater than 64 bytes. The vector is local to the SCSI/FC subsystem and depends on values originating from the QLogic adapter firmware. There is no public proof-of-concept, no known exploitation in the wild, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is 0.026%, indicating very low predicted exploitation activity.
The upstream fix caps total_bytes at sizeof(item->iocb) (64 bytes) before allocation and copying, ensuring all writes stay within the destination member bounds. See the kernel commits 1922468a4a80, 19bc5f2a6962, 408bfa8d70f7, and aa14451fa5d5 for the upstream patches.
Detection Methods for CVE-2026-23059
Indicators of Compromise
- Kernel log entries from CONFIG_FORTIFY_SOURCE reporting memcpy size overflow within qla2xxx call paths
- WARN or BUG traces referencing qla27xx_copy_fpin_pkt or qla27xx_copy_multiple_pkt
- Unexpected SCSI subsystem crashes or panics on hosts using QLogic FC HBAs
Detection Strategies
- Inventory hosts running the qla2xxx driver and identify kernel build versions lacking the upstream fix commits.
- Enable CONFIG_FORTIFY_SOURCE in kernel builds to surface cross-member memcpy violations as runtime warnings.
- Monitor dmesg and journald logs for fortify-source diagnostics tied to purex_item or qla2xxx symbols.
Monitoring Recommendations
- Forward kernel logs from Linux storage hosts to a centralized log platform and alert on fortify-source warnings.
- Track QLogic Fibre Channel firmware versions and correlate with driver crash telemetry.
- Watch for repeated SCSI driver resets or HBA reinitialization events that may indicate corrupted purex_item state.
How to Mitigate CVE-2026-23059
Immediate Actions Required
- Apply the upstream Linux kernel patches that cap total_bytes at the size of the iocb member in qla2xxx.
- Update to a stable kernel release that includes the fix commits referenced in the kernel.org advisory.
- Audit fleet inventory for hosts using QLogic FC HBAs and prioritize patching on SAN-attached storage servers.
Patch Information
The fix sanitizes the payload size by limiting total_bytes to sizeof(item->iocb) (64 bytes) before allocation and memcpy. Patches were merged across multiple stable branches in commits 1922468a4a80, 19bc5f2a6962, 408bfa8d70f7, and aa14451fa5d5. Distribution vendors will backport these to supported kernel streams; consult your distribution's security tracker for package availability.
Workarounds
- If patching is not immediately possible, restrict workloads on affected hosts to trusted Fibre Channel fabrics and known-good QLogic firmware revisions.
- Where supported, unload the qla2xxx module on systems that do not require QLogic FC connectivity until a patched kernel is deployed.
- Enable CONFIG_FORTIFY_SOURCE to convert the unsafe copy into a detectable runtime warning rather than a silent corruption.
# Verify running kernel and qla2xxx module status
uname -r
modinfo qla2xxx | grep -E '^(version|filename):'
# Check for fortify-source warnings related to qla2xxx
dmesg | grep -iE 'fortify|qla27xx_copy_(fpin|multiple)_pkt'
# Unload the driver if QLogic FC is not in use (will disrupt FC I/O)
sudo modprobe -r qla2xxx
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
