Bug 2464418 (CVE-2026-43055)

Summary: CVE-2026-43055 kernel: scsi: target: file: Use kzalloc_flex for aio_cmd
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's SCSI target file module. When a write command is executed, the `aio_cmd->iocb` for the `ki_write_stream` is not initialized. This can lead to an incorrect `ki_write_stream` value, causing unintended write failures in the block device. This vulnerability can result in a Denial of Service (DoS) for applications attempting to write data.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-05-01 15:05:45 UTC 
In the Linux kernel, the following vulnerability has been resolved:

scsi: target: file: Use kzalloc_flex for aio_cmd

The target_core_file doesn't initialize the aio_cmd->iocb for the
ki_write_stream. When a write command fd_execute_rw_aio() is executed,
we may get a bogus ki_write_stream value, causing unintended write
failure status when checking iocb->ki_write_stream > max_write_streams
in the block device.

Let's just use kzalloc_flex when allocating the aio_cmd and let
ki_write_stream=0 to fix this issue.
Comment 1 Keith Grant 2026-05-01 18:57:01 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050108-CVE-2026-43055-5bb1@gregkh/T