CVE-2026-45856

HIGH

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send ib_uverbs_post_send() uses cmd.wqe_size from userspace without any validation before passing it to kmalloc() and using the allocated buffer as struct ib_uverbs_send_wr. If a user provides a small wqe_size value (e.g., 1), kmalloc() will succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge, and other fields will read beyond the allocated buffer, resulting in an out-of-bounds read from kernel heap memory. This could potentially leak sensitive kernel information to userspace. Additionally, providing an excessively large wqe_size can trigger a WARNING in the memory allocation path, as reported by syzkaller. This is inconsistent with ib_uverbs_unmarshall_recv() which properly validates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before proceeding. Add the same validation for ib_uverbs_post_send() to ensure wqe_size is at least sizeof(struct ib_uverbs_send_wr).

Scores

CVSS v3 7.1
EPSS 0.0016
EPSS Percentile 6.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Details

CWE
CWE-125
Status published
Products (26)
linux/Kernel 5.0.0 - 5.10.252linux
linux/Kernel 5.11.0 - 5.15.202linux
linux/Kernel 5.16.0 - 6.1.165linux
linux/Kernel 6.13.0 - 6.18.14linux
linux/Kernel 6.19.0 - 6.19.4linux
linux/Kernel 6.2.0 - 6.6.128linux
linux/Kernel 6.7.0 - 6.12.75linux
Linux/Linux < 5.0
Linux/Linux 5.0
Linux/Linux 5.10.252 - 5.10.*
... and 16 more
Published May 27, 2026
Tracked Since May 27, 2026