CVE-2026-45856
- Source
- https://cve.org/CVERecord?id=CVE-2026-45856
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45856.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-45856
- Downstream
- Published
- 2026-05-27T12:15:33.209Z
- Modified
- 2026-06-01T03:54:57.223492809Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
- Summary
- RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
RDMA/uverbs: Validate wqesize before using it in ibuverbspostsend
ibuverbspostsend() uses cmd.wqesize from userspace without any validation before passing it to kmalloc() and using the allocated buffer as struct ibuverbssend_wr.
If a user provides a small wqesize value (e.g., 1), kmalloc() will succeed, but subsequent accesses to userwr->opcode, userwr->numsge, and other fields will read beyond the allocated buffer, resulting in an out-of-bounds read from kernel heap memory. This could potentially leak sensitive kernel information to userspace.
Additionally, providing an excessively large wqe_size can trigger a WARNING in the memory allocation path, as reported by syzkaller.
This is inconsistent with ibuverbsunmarshallrecv() which properly validates that wqesize >= sizeof(struct ibuverbsrecv_wr) before proceeding.
Add the same validation for ibuverbspostsend() to ensure wqesize is at least sizeof(struct ibuverbssend_wr).
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45856.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/01c9b152647dc70dc06a4a2eff86ebb3b3c76075
- https://git.kernel.org/stable/c/1956f0a74ccf5dc9c3ef717f2985c3ed3400aab0
- https://git.kernel.org/stable/c/9b5ac1c15334d46c0dbd49d64a2257b929500163
- https://git.kernel.org/stable/c/9c15ec4cd4e7f57c6bbcb4e73e99290f150dd2a7
- https://git.kernel.org/stable/c/bef70ff9841990658610512b4a18e4a88c9b4df6
- https://git.kernel.org/stable/c/bf1feed1a7886af945f92890493aefd2b5c9928a
- https://git.kernel.org/stable/c/bf4454da8b1e712714628c0a0d6e7845bb40790a
- https://git.kernel.org/stable/c/d533425ac1f2925b4fc3e4ed9b9d72362cb23475
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45856.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-45856
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc3bea3d2dc5358e05541527283279102383b0231Fixed9c15ec4cd4e7f57c6bbcb4e73e99290f150dd2a7Fixed9b5ac1c15334d46c0dbd49d64a2257b929500163Fixed01c9b152647dc70dc06a4a2eff86ebb3b3c76075Fixedbf1feed1a7886af945f92890493aefd2b5c9928aFixedd533425ac1f2925b4fc3e4ed9b9d72362cb23475Fixedbf4454da8b1e712714628c0a0d6e7845bb40790aFixedbef70ff9841990658610512b4a18e4a88c9b4df6Fixed1956f0a74ccf5dc9c3ef717f2985c3ed3400aab0
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced5.0.0Fixed5.10.252
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.202
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.165
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.128
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.75
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.14
- Type
- ECOSYSTEM
- Events
-
Introduced6.19.0Fixed6.19.4