CVE-2026-43055 Overview
CVE-2026-43055 is a Linux kernel vulnerability in the SCSI target subsystem (target_core_file). The flaw stems from the aio_cmd allocation path failing to initialize the iocb->ki_write_stream field. When fd_execute_rw_aio() executes a write command, the uninitialized value can exceed max_write_streams checks in the underlying block device, producing unintended write failures. The fix replaces the original allocator with kzalloc_flex, ensuring ki_write_stream is zeroed at allocation time. The vulnerability affects Linux kernel 7.0 release candidates rc1 through rc5.
Critical Impact
Remote attackers can trigger SCSI target write failures over the network, causing availability loss in storage targets exposed via LIO/iSCSI without requiring authentication or user interaction.
Affected Products
- Linux Kernel 7.0-rc1
- Linux Kernel 7.0-rc2 through 7.0-rc4
- Linux Kernel 7.0-rc5
Discovery Timeline
- 2026-05-01 - CVE CVE-2026-43055 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43055
Vulnerability Analysis
The vulnerability resides in the Linux kernel's LIO SCSI target backend target_core_file. The aio_cmd structure embeds an iocb used to dispatch asynchronous I/O to the backing file or block device. Prior to the fix, allocation did not zero the ki_write_stream member of the embedded iocb. The field therefore contained whatever residual data occupied that slab memory.
During write submission via fd_execute_rw_aio(), the kernel passes the iocb to the underlying block device. The block layer compares iocb->ki_write_stream against max_write_streams. A non-zero, attacker-influenceable, or stale value causes the write to be rejected. The result is an availability impact on storage I/O paths exposed by the SCSI target.
Root Cause
The root cause is uninitialized memory use [CWE-908]. The original allocator did not clear the ki_write_stream field, and the SCSI target code did not explicitly initialize it before submission. Replacing the allocation with kzalloc_flex guarantees the structure is zero-initialized, including any flexible array members, ensuring ki_write_stream = 0.
Attack Vector
The attack vector is network-based. SCSI targets exposed via iSCSI or other LIO fabrics accept write commands from initiators. A remote initiator issuing write operations to a vulnerable target can encounter failed writes whenever the uninitialized ki_write_stream value exceeds the device's max_write_streams. The CVSS vector indicates no privileges or user interaction are required, with availability as the only impacted dimension.
No public proof-of-concept code is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the upstream commits for the precise patch logic: Kernel Git Commit 01f784f, Kernel Git Commit 4eaff17, and Kernel Git Commit ce54802.
Detection Methods for CVE-2026-43055
Indicators of Compromise
- Unexplained write command failures returned to iSCSI or LIO initiators on hosts running Linux 7.0-rc1 through 7.0-rc5.
- Kernel log entries from the block layer rejecting I/O due to ki_write_stream exceeding max_write_streams.
- Storage availability incidents correlated with SCSI target backends using target_core_file on file-backed LUNs.
Detection Strategies
- Inventory Linux hosts running kernel 7.0-rc1 through 7.0-rc5 that load target_core_file and expose LIO targets.
- Audit running kernels with uname -r and confirm whether the upstream fix commits are present in the deployed source tree.
- Correlate dmesg output and /var/log/messages for write rejection patterns originating in fd_execute_rw_aio.
Monitoring Recommendations
- Monitor SCSI target write error rates and surface anomalies to the SOC.
- Track kernel version drift across storage and virtualization hosts using configuration management telemetry.
- Alert on kernel module loads of target_core_file on systems where the fabric is not expected to be in use.
How to Mitigate CVE-2026-43055
Immediate Actions Required
- Upgrade affected hosts to a Linux kernel build that includes commits 01f784f, 4eaff17, or ce54802.
- Restrict network access to iSCSI portals and other LIO fabrics using firewall rules and network segmentation.
- Disable the target_core_file backend on systems that do not require file-backed SCSI targets.
Patch Information
The upstream fix replaces the aio_cmd allocator with kzalloc_flex, zeroing ki_write_stream at allocation. Apply one of the upstream commits: Kernel Git Commit 01f784f, Kernel Git Commit 4eaff17, or Kernel Git Commit ce54802. Distribution-supplied stable kernels should be preferred over manual backports.
Workarounds
- Unload the target_core_file module on hosts that do not require file-backed LIO targets: modprobe -r target_core_file.
- Limit iSCSI portal exposure to trusted management networks using ACLs at the host and network layer.
- Switch backing stores to target_core_iblock or target_core_pscsi where operationally feasible until patches are deployed.
# Configuration example
# Verify kernel version and patch presence
uname -r
# Block external access to iSCSI portal (port 3260)
iptables -A INPUT -p tcp --dport 3260 -s <trusted_subnet> -j ACCEPT
iptables -A INPUT -p tcp --dport 3260 -j DROP
# Optionally disable the file backend if not required
rmmod target_core_file
echo 'blacklist target_core_file' > /etc/modprobe.d/disable-target_core_file.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
