CVE-2026-45994
Analyzed Analyzed - Analysis Complete
Out-of-Bounds Read in Linux Kernel ibmasm Driver

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix OOB reads in command_file_write due to missing size checks The command_file_write() handler allocates a kernel buffer of exactly count bytes and copies user data into it, but does not validate the buffer against the dot command protocol before passing it to get_dot_command_size() and get_dot_command_timeout(). Since both the allocation size (count) and the header fields (command_size, data_size) are independently user-controlled, an attacker can cause get_dot_command_size() to return a value exceeding the allocation, triggering OOB reads in get_dot_command_timeout() and an out-of-bounds memcpy_toio() that leaks kernel heap memory to the service processor. Fix with two guards: reject writes smaller than sizeof(struct dot_command_header) before allocation, then after copying user data reject commands where the buffer is smaller than the total size declared by the header (sizeof(header) + command_size + data_size). This ensures all subsequent header and payload field accesses stay within the buffer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45994
EUVD
EUVD-2026-32290
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel From 6.7 (inc) to 6.12.86 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.140 (exc)
linux linux_kernel From 2.6.12.1 (inc) to 5.10.258 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.27 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ibmasm component, specifically in the command_file_write() handler. The handler allocates a kernel buffer based on a user-controlled size (count) and copies user data into it without properly validating the data against the expected dot command protocol.

Because both the allocation size and certain header fields within the data (command_size and data_size) are controlled by the user independently, an attacker can manipulate these values to cause out-of-bounds (OOB) reads. This happens when get_dot_command_size() returns a size larger than the allocated buffer, leading to OOB reads in get_dot_command_timeout() and an out-of-bounds memcpy_toio() operation.

These OOB reads can leak kernel heap memory to the service processor, potentially exposing sensitive information.

The fix involves adding two checks: rejecting writes smaller than the size of the dot_command_header before allocation, and after copying user data, rejecting commands where the buffer is smaller than the total size declared by the header (header size plus command_size plus data_size). This ensures all accesses stay within the allocated buffer.

Impact Analysis

This vulnerability can lead to out-of-bounds reads in kernel memory, which may result in leaking sensitive kernel heap memory to the service processor.

An attacker exploiting this flaw could gain unauthorized access to sensitive information stored in kernel memory, potentially compromising system security and confidentiality.

Mitigation Strategies

The vulnerability has been fixed by adding validation checks in the Linux kernel's ibmasm component. Immediate mitigation steps include ensuring your system is updated with the latest kernel patches that include these fixes.

Specifically, the fix rejects writes smaller than the size of the dot_command_header before allocation and rejects commands where the buffer is smaller than the total size declared by the header after copying user data. Applying the updated kernel version containing these guards will mitigate the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45994. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart