Skip to main content

Linux Kernel CVE-2026-45856

| EUVDEUVD-2026-32322 HIGH
Out-of-bounds Read (CWE-125)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-xq3r-74hw-4c5p
7.1
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:24 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.1 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:16 nvd
HIGH 7.1
CVE Published
May 27, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

ib_uverbs_post_send() uses cmd.wqe_size from userspace without any validation before passing it to kmalloc() and using the allocated buffer as struct ib_uverbs_send_wr.

If a user provides a small wqe_size value (e.g., 1), kmalloc() will succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge, and other fields will read beyond the allocated buffer, resulting in an out-of-bounds read from kernel heap memory. This could potentially leak sensitive kernel information to userspace.

Additionally, providing an excessively large wqe_size can trigger a WARNING in the memory allocation path, as reported by syzkaller.

This is inconsistent with ib_uverbs_unmarshall_recv() which properly validates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before proceeding.

Add the same validation for ib_uverbs_post_send() to ensure wqe_size is at least sizeof(struct ib_uverbs_send_wr).

AnalysisAI

Out-of-bounds kernel heap read in the Linux kernel's RDMA/uverbs subsystem allows local low-privileged users with access to InfiniBand/RDMA device nodes to leak kernel memory or trigger a denial-of-service WARNING by submitting a crafted ib_uverbs_post_send command with an undersized or oversized wqe_size value. EPSS is very low (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but the bug is fixed upstream across multiple stable trees, so patched versions should be deployed where RDMA is exposed to untrusted local users.

Technical ContextAI

The flaw resides in drivers/infiniband/core/uverbs_cmd.c, specifically in ib_uverbs_post_send(), which is the kernel-side handler for the user-space verbs (uverbs) interface used by RDMA-capable hardware such as InfiniBand, RoCE, and iWARP adapters. The function previously took the cmd.wqe_size field directly from userspace and passed it to kmalloc() to allocate a buffer treated as struct ib_uverbs_send_wr; because the size was never bounded against sizeof(struct ib_uverbs_send_wr), a deliberately small value allowed subsequent struct-field accesses (opcode, num_sge, etc.) to read past the allocation into adjacent slab memory, while excessively large values tripped the page-allocator WARNING reported by syzkaller. The root cause class is classic CWE-125 (out-of-bounds read) and CWE-1284 (improper validation of size parameter), and the bug had already been correctly handled in the sibling ib_uverbs_unmarshall_recv() path, making this an inconsistency fix as much as a security patch.

RemediationAI

Vendor-released patch: upgrade to Linux 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4 or later, or pull the stable commits listed at https://git.kernel.org/stable/c/01c9b152647dc70dc06a4a2eff86ebb3b3c76075 and the companion commits (bef70ff…, bf1feed…, 9c15ec4…, bf4454d…, 9b5ac1c…, 1956f0a…, d533425…) into your downstream tree. Where immediate kernel updates are not possible, compensating controls include unloading or blacklisting the ib_uverbs module if RDMA user-space access is not required (modprobe.d blacklist ib_uverbs - note this will break any application using libibverbs, rdma-core, NCCL over IB verbs, MPI over verbs, and SPDK NVMe-oF initiators), tightening permissions on /dev/infiniband/uverbs* and /dev/infiniband/rdma_cm to a trusted group via udev rules (side effect: only privileged or whitelisted users can open RDMA contexts), or for container hosts removing CAP_SYS_RAWIO/IPC and not mounting /dev/infiniband into untrusted pods. Distribution-level advisories should be consulted via the per-vendor security trackers since no consolidated vendor advisory URL is provided beyond the kernel.org commit links.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-45856 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy