CVE-2026-46128 | ipmi: Check event message buffer response for bad data

In the Linux kernel, the following vulnerability has been resolved: ipmi: Check event message buffer response for bad data The event message buffer response data size got checked later when processing, but check it right after the response comes back. It appears some BMCs may return an empty message instead of an error when fetching events. There are apparently some new BMCs that make this error, so we need to compensate.

Published: 2026-05-28 Last update: 2026-06-01 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

NVD Status：Awaiting Analysis，CVE State: published

View at NVD, CVE.org, EUVD

Conclusion & alert: CVE-2026-46128 is rated Low Risk (5.2/100): low exploitation likelihood (EPSS 0.02%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2026-46128

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-05-28	—	0.02%	—

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2026-46128

CVSS metrics for this CVE.

No CVSS data in dataset for this CVE.

Weakness enumeration for CVE-2026-46128

GitHub Security Advisory for CVE-2026-46128

GHSA-3367-ghgr-fgg3 · Severity: unknown — In the Linux kernel, the following vulnerability has been resolved: ipmi: Check event message...

OS Trackers for CVE-2026-46128

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2026-46128 not yet assigned priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 3, open 2.	https://security-tracker.debian.org/tracker/CVE-2026-46128
`redhat`	—	—	https://access.redhat.com/security/cve/CVE-2026-46128
`suse`	medium	CVE-2026-46128 severity moderate: SUSE including 20 source package names (cluster-md-kmp-default, dlm-kmp-default, …), 58 product×package rows across 15 product lines (SUSE Linux Enterprise High Availability Extension 15 SP7, SUSE Linux Enterprise Live Patching 15 SP7, … (15 product lines)): Known Not Affected 54, Fixed 4.	https://www.suse.com/security/cve/CVE-2026-46128/
`ubuntu`	medium	CVE-2026-46128 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1422 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): DNE 1024, ignored 173, needed 141, released 84.	https://ubuntu.com/security/CVE-2026-46128

Affected software / configurations for CVE-2026-46128

Vendor	Product	Version	Raw CPE
No affected products in dataset.

References for CVE-2026-46128

URL	Tags
https://git.kernel.org/stable/c/01f8387fa5b796f13cf50014c171f6da7abc46ea
https://git.kernel.org/stable/c/2418e4b21fb1355504d095da5d5f0a210564a43d
https://git.kernel.org/stable/c/24269264c3d59a49eb09b10af2c75b14f2931482
https://git.kernel.org/stable/c/36920f30e78e69df01f9691c470b6f3ba8aebf98
https://git.kernel.org/stable/c/42432b579a594b66ac32e5e7b7c26e6bc578ec89
https://git.kernel.org/stable/c/474e53d4397087913a5b9c9eb90fa068da4808bf
https://git.kernel.org/stable/c/7f7ada72c07a83b46045ddfeee526bd9e2e3c8f0
https://git.kernel.org/stable/c/cf1ef30c42a7079e5bad863cd01c52aa3a17c3ac

cvelogic Threat Intelligence