CVE-2026-45856
Awaiting Analysis Awaiting Analysis - Queue
Heap Buffer Overflow in Linux Kernel RDMA uverbs

Publication date: 2026-05-27

Last updated on: 2026-05-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send ib_uverbs_post_send() uses cmd.wqe_size from userspace without any validation before passing it to kmalloc() and using the allocated buffer as struct ib_uverbs_send_wr. If a user provides a small wqe_size value (e.g., 1), kmalloc() will succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge, and other fields will read beyond the allocated buffer, resulting in an out-of-bounds read from kernel heap memory. This could potentially leak sensitive kernel information to userspace. Additionally, providing an excessively large wqe_size can trigger a WARNING in the memory allocation path, as reported by syzkaller. This is inconsistent with ib_uverbs_unmarshall_recv() which properly validates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before proceeding. Add the same validation for ib_uverbs_post_send() to ensure wqe_size is at least sizeof(struct ib_uverbs_send_wr).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-30
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45856
EUVD
EUVD-2026-32322
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's RDMA/uverbs component, specifically in the function ib_uverbs_post_send(). The function uses a value called wqe_size, provided from userspace, without validating it before using it to allocate memory with kmalloc().

If a user supplies a very small wqe_size (for example, 1), kmalloc() will allocate a small buffer successfully, but subsequent code will read beyond this allocated buffer when accessing fields like opcode and num_sge. This causes an out-of-bounds read from kernel heap memory, which could leak sensitive kernel information to userspace.

Conversely, if an excessively large wqe_size is provided, it can trigger warnings in the memory allocation path.

The vulnerability arises because ib_uverbs_post_send() does not validate that wqe_size is at least the size of the expected structure (struct ib_uverbs_send_wr), unlike a similar function ib_uverbs_unmarshall_recv() which performs this validation.

Impact Analysis

This vulnerability can lead to an out-of-bounds read from kernel heap memory, which means that sensitive kernel information could be leaked to userspace. Such information leakage can potentially be exploited by attackers to gain insights into kernel memory layout or other sensitive data.

Additionally, providing an excessively large wqe_size can cause warnings in the kernel's memory allocation path, which might affect system stability or reliability.

Detection Guidance

This vulnerability involves improper validation of the wqe_size parameter in the ib_uverbs_post_send() function of the Linux kernel RDMA subsystem. Detection would involve monitoring for abnormal or suspicious usage of RDMA user verbs, especially calls to ib_uverbs_post_send() with unusually small or large wqe_size values.

However, no specific detection commands or tools are provided in the available information.

Mitigation Strategies

The vulnerability has been resolved by adding validation to ensure that wqe_size is at least the size of struct ib_uverbs_send_wr before it is used. Therefore, the immediate mitigation step is to update the Linux kernel to a version that includes this fix.

Until the kernel is updated, avoid running untrusted userspace code that can invoke ib_uverbs_post_send() with arbitrary wqe_size values, as this could lead to out-of-bounds reads and potential information leaks.

Compliance Impact

This vulnerability could potentially lead to the leakage of sensitive kernel information to userspace due to an out-of-bounds read from kernel heap memory.

Such leakage of sensitive information may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive data and preventing unauthorized disclosure.

However, the provided information does not explicitly describe the direct impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45856. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart