CVE-2026-23243
Received Received - Intake
Out-of-Bounds Write in Linux RDMA ib_umad_write Function

Publication date: 2026-03-18

Last updated on: 2026-04-02

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/umad: Reject negative data_len in ib_umad_write ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list(). Add an explicit check to reject negative data_len before creating the send buffer. KASAN splat: [ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [ 211.365867] ib_create_send_mad+0xa01/0x11b0 [ 211.365887] ib_umad_write+0x853/0x1c80
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-04-02
Generated
2026-05-07
AI Q&A
2026-03-18
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23243
EUVD
EUVD-2026-12804
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's RDMA/umad component, specifically in the ib_umad_write function. The function calculates a data length (data_len) based on user-controlled input and header sizes. If there is a mismatch between the user MAD header size and the RMPP header length, data_len can become negative. This negative value is then passed to ib_create_send_mad(), which leads to an incorrect padding calculation that exceeds the segment size. As a result, an out-of-bounds memory write (memset) occurs in alloc_send_rmpp_list(), potentially causing memory corruption.

The vulnerability is fixed by adding an explicit check to reject any negative data_len values before creating the send buffer, preventing the out-of-bounds memory write.


How can this vulnerability impact me? :

This vulnerability can lead to out-of-bounds memory writes in the Linux kernel, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges. Since the issue arises from user-controlled input, a malicious user could exploit this to compromise the affected system.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring kernel logs for specific KASAN (Kernel Address Sanitizer) slab-out-of-bounds errors related to ib_create_send_mad and ib_umad_write functions.

  • Check kernel logs for messages similar to: "BUG: KASAN: slab-out-of-bounds in ib_create_send_mad".
  • Use the command: dmesg | grep -i 'ib_create_send_mad' to find relevant error messages.
  • Monitor for out-of-bounds memory write errors in the kernel logs that mention ib_umad_write or related RDMA components.

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to apply the patch that adds an explicit check to reject negative data_len before creating the send buffer in the ib_umad_write function.

If patching is not immediately possible, consider disabling or restricting the use of RDMA/umad interfaces to prevent exploitation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart