Home

Description

In the Linux kernel, the following vulnerability has been resolved: KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and aen_host_forward() index the GAIT by manually multiplying the index with sizeof(struct zpci_gaite). Since aift->gait is already a struct zpci_gaite pointer, this double-scales the offset, accessing element aisb*16 instead of aisb. This causes out-of-bounds accesses when aisb >= 32 (with ZPCI_NR_DEVICES=512) Fix by removing the erroneous sizeof multiplication.

PUBLISHED Reserved 2026-06-09 | Published 2026-06-24 | Updated 2026-06-24 | Assigner Linux

Product status

Default status
unaffected

73f91b004321f2510fa79e66035dbbf1870fcf56 (git) before 31a9d9f9942885aae356a1a57c79e82c5b5b0828
affected

73f91b004321f2510fa79e66035dbbf1870fcf56 (git) before a99a25db131ece5e6c0f7632da606de631efe4f2
affected

73f91b004321f2510fa79e66035dbbf1870fcf56 (git) before 11b8ff5b930b351dd1f6f088dce0beb027ac92d0
affected

73f91b004321f2510fa79e66035dbbf1870fcf56 (git) before b22a2da8792a7bfe743c1a922e77fa499ddedbe8
affected

73f91b004321f2510fa79e66035dbbf1870fcf56 (git) before e7216651b94e92e5433fb2f54b77864642b4ea48
affected

73f91b004321f2510fa79e66035dbbf1870fcf56 (git) before 16d990a15491cf76cd6eef0846e1b4100e63261a
affected

Default status
affected

6.0
affected

Any version before 6.0
unaffected

6.1.175 (semver)
unaffected

6.6.141 (semver)
unaffected

6.12.91 (semver)
unaffected

6.18.33 (semver)
unaffected

7.0.10 (semver)
unaffected

7.1 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/31a9d9f9942885aae356a1a57c79e82c5b5b0828

git.kernel.org/...c/a99a25db131ece5e6c0f7632da606de631efe4f2

git.kernel.org/...c/11b8ff5b930b351dd1f6f088dce0beb027ac92d0

git.kernel.org/...c/b22a2da8792a7bfe743c1a922e77fa499ddedbe8

git.kernel.org/...c/e7216651b94e92e5433fb2f54b77864642b4ea48

git.kernel.org/...c/16d990a15491cf76cd6eef0846e1b4100e63261a

cve.org (CVE-2026-52968)

nvd.nist.gov (CVE-2026-52968)

Download JSON