In the Linux kernel, the following vulnerability has been resolved:
ibmasm: fix OOB reads in commandfilewrite due to missing size checks
The commandfilewrite() handler allocates a kernel buffer of exactly count bytes and copies user data into it, but does not validate the buffer against the dot command protocol before passing it to getdotcommandsize() and getdotcommandtimeout().
Since both the allocation size (count) and the header fields (commandsize, datasize) are independently user-controlled, an attacker can cause getdotcommandsize() to return a value exceeding the allocation, triggering OOB reads in getdotcommandtimeout() and an out-of-bounds memcpy_toio() that leaks kernel heap memory to the service processor.
Fix with two guards: reject writes smaller than sizeof(struct dotcommandheader) before allocation, then after copying user data reject commands where the buffer is smaller than the total size declared by the header (sizeof(header) + commandsize + datasize). This ensures all subsequent header and payload field accesses stay within the buffer.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45994.json"
}