Skip to main content

Linux CVE-2026-23243

| EUVDEUVD-2026-12804 HIGH
Out-of-bounds Write (CWE-787)
2026-03-18 Linux
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.3 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 10:30 euvd
EUVD-2026-12804
Analysis Generated
Mar 18, 2026 - 10:30 vuln.today
CVE Published
Mar 18, 2026 - 10:05 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/umad: Reject negative data_len in ib_umad_write

ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list().

Add an explicit check to reject negative data_len before creating the send buffer.

KASAN splat: [ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [ 211.365867] ib_create_send_mad+0xa01/0x11b0 [ 211.365887] ib_umad_write+0x853/0x1c80

AnalysisAI

A negative integer underflow vulnerability exists in the Linux kernel's RDMA/umad subsystem where the ib_umad_write function fails to validate user-controlled data_len calculations, allowing a mismatch between user MAD header size and RMPP header length to produce negative values. This negative data_len can propagate to ib_create_send_mad() and trigger an out-of-bounds memset in alloc_send_rmpp_list(), causing kernel memory corruption and denial of service. The vulnerability affects Linux kernel versions from 2.6.24 through multiple stable branches (5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19) and requires local access to RDMA user-mode interface to exploit, with patches available across multiple stable kernel versions as referenced in the git commits.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky fixed 6.19.6-2 -
sid fixed 6.19.8-1 -
(unstable) fixed 6.18.14-1 -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected

Share

CVE-2026-23243 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy