Skip to main content

Linux Kernel CVE-2026-45994

| EUVDEUVD-2026-32290 HIGH
Out-of-bounds Read (CWE-125)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-rcq2-mghh-wcf4
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
6.1 MEDIUM

Local write access to the ibmasm device requires a privileged or delegated local account (PR:L, AV:L, AC:L); primary impact is kernel memory disclosure (C:H) with possible oops (A:L), no integrity impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 13:54 vuln.today
CVSS changed
Jun 16, 2026 - 13:52 NVD
7.1 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.1
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ibmasm: fix OOB reads in command_file_write due to missing size checks

The command_file_write() handler allocates a kernel buffer of exactly count bytes and copies user data into it, but does not validate the buffer against the dot command protocol before passing it to get_dot_command_size() and get_dot_command_timeout().

Since both the allocation size (count) and the header fields (command_size, data_size) are independently user-controlled, an attacker can cause get_dot_command_size() to return a value exceeding the allocation, triggering OOB reads in get_dot_command_timeout() and an out-of-bounds memcpy_toio() that leaks kernel heap memory to the service processor.

Fix with two guards: reject writes smaller than sizeof(struct dot_command_header) before allocation, then after copying user data reject commands where the buffer is smaller than the total size declared by the header (sizeof(header) + command_size + data_size). This ensures all subsequent header and payload field accesses stay within the buffer.

AnalysisAI

Out-of-bounds read in the Linux kernel's ibmasm driver allows a local low-privileged user with write access to the ibmasm command character device to leak kernel heap memory to the IBM Advanced System Management service processor and potentially destabilize the host. The flaw resides in command_file_write(), which trusts attacker-controlled command_size/data_size header fields after allocating a buffer of arbitrary count, enabling get_dot_command_size() to return a value larger than the allocation. EPSS is 0.02% and no public exploit is identified at time of analysis; the issue is not on CISA KEV.

Technical ContextAI

The affected component is drivers/misc/ibmasm in the Linux kernel, which exposes a character-device interface to IBM xSeries Advanced System Management (ASM) service processors using a 'dot command' protocol consisting of a dot_command_header followed by command and data payloads. The CPE strings (cpe:2.3:o:linux:linux_kernel) confirm the upstream kernel is affected from 2.6.12 onward, where the driver originated. CWE-125 (Out-of-bounds Read) is the root-cause class: the write handler kmalloc()s exactly count bytes from the user, copies user data into it, and then uses header fields inside that user-controlled buffer to compute total size via get_dot_command_size() = sizeof(header) + command_size + data_size; without bounds checks, get_dot_command_timeout() and a downstream memcpy_toio() to MMIO read past the allocation, exposing adjacent slab contents to the service processor.

RemediationAI

Vendor-released patches are available: upgrade to Linux kernel 6.6.140, 6.12.86, 6.18.27, 7.0.4, 7.1-rc1, or any later stable release on each branch, or pull the corresponding fix commits listed at git.kernel.org/stable/c/ (ee5737891464, d0fb4d1dc43f, a672682d39dd, aefc1a97da17, 0eb09f737428, 44ee19422aa8, 7b8a574da5d7, d50e2019c9d7); the NVD record is at https://nvd.nist.gov/vuln/detail/CVE-2026-45994. If immediate patching is not possible, unload and blacklist the ibmasm module (echo 'blacklist ibmasm' > /etc/modprobe.d/ibmasm.conf and rmmod ibmasm) which fully eliminates the attack surface but disables IBM service-processor management on affected hardware, or alternatively tighten device-node permissions on /dev/ibmasm* to root-only and audit users in any group currently granted write access, accepting that any user retaining write access can still trigger the OOB read.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-45994 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy