Description
In the Linux kernel, the following vulnerability has been resolved:

RDMA/umad: Reject negative data_len in ib_umad_write

ib_umad_write computes data_len from user-controlled count and the
MAD header sizes. With a mismatched user MAD header size and RMPP
header length, data_len can become negative and reach ib_create_send_mad().
This can make the padding calculation exceed the segment size and trigger
an out-of-bounds memset in alloc_send_rmpp_list().

Add an explicit check to reject negative data_len before creating the
send buffer.

KASAN splat:
[ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0
[ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102
[ 211.365867] ib_create_send_mad+0xa01/0x11b0
[ 211.365887] ib_umad_write+0x853/0x1c80
Published: 2026-03-18
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel memory corruption potentially leading to denial of service or privilege escalation
Action: Patch
AI Analysis

Impact

The Linux kernel contains a flaw in the RDMA/umad subsystem within the ib_umad_write function. When an attacker supplies a user-controlled count that, combined with a mismatched MAD header size and RMPP header length, makes the calculated data_len negative, the kernel will call ib_create_send_mad. This function performs a memset using the negative value, causing an out‑of-bounds write that corrupts the kernel’s memory. The failure can trigger a KASAN error and may lead to a crash or give the attacker an opportunity to execute code with kernel privileges.

Affected Systems

The vulnerability is present in all Linux kernel versions that use the RDMA/umad driver and have not incorporated the patch that rejects negative data_len. Because a particular range of kernel releases is not specified, any kernel build prior to the commit adding the explicit check is potentially vulnerable. Users of distributions that ship RDMA support – whether kernel 32‑bit or 64‑bit – fall into this category unless they have upgraded after the fix.

Risk and Exploitability

A severity score of 7.8 indicates a high risk if the flaw is successfully exploited. The likelihood of exploitation is considered low, with an estimated exploit probability below 1 %. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no confirmed exploits in the wild. Attackers would need local access to the affected system; the flaw is triggered by calls from userspace programs that interact with RDMA devices.

Generated by OpenCVE AI on April 2, 2026 at 17:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the commit which checks for negative data_len in ib_umad_write. For distributions that cannot immediately upgrade, obtain the patch from the kernel commit referenced in the advisory and apply it to the current kernel source, then rebuild and install the kernel.
  • After installing the patched kernel, reboot the system so the new kernel image is used.
  • Verify that the patch is active by checking the kernel log for any remaining KASAN or out‑of‑bounds entries and monitor for kernel crashes.

Generated by OpenCVE AI on April 2, 2026 at 17:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 18 Mar 2026 10:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: RDMA/umad: Reject negative data_len in ib_umad_write ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list(). Add an explicit check to reject negative data_len before creating the send buffer. KASAN splat: [ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [ 211.365867] ib_create_send_mad+0xa01/0x11b0 [ 211.365887] ib_umad_write+0x853/0x1c80
Title RDMA/umad: Reject negative data_len in ib_umad_write
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-02T14:43:56.668Z

Reserved: 2026-01-13T15:37:45.989Z

Link: CVE-2026-23243

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T11:16:16.090

Modified: 2026-04-02T15:16:26.467

Link: CVE-2026-23243

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-23243 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:23:32Z

Weaknesses