CVE-2026-45856 - Vulnerability Details

- RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

ib_uverbs_post_send() uses cmd.wqe_size from userspace without any
validation before passing it to kmalloc() and using the allocated
buffer as struct ib_uverbs_send_wr.

If a user provides a small wqe_size value (e.g., 1), kmalloc() will
succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge,
and other fields will read beyond the allocated buffer, resulting in
an out-of-bounds read from kernel heap memory. This could potentially
leak sensitive kernel information to userspace.

Additionally, providing an excessively large wqe_size can trigger a
WARNING in the memory allocation path, as reported by syzkaller.

This is inconsistent with ib_uverbs_unmarshall_recv() which properly
validates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before
proceeding.

Add the same validation for ib_uverbs_post_send() to ensure wqe_size
is at least sizeof(struct ib_uverbs_send_wr).

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel RDMA uverbs subsystem, the command ib_uverbs_post_send accepts a user‑supplied wqe_size and passes it directly to kmalloc before using the allocated memory as a struct ib_uverbs_send_wr. If the size is too small, later reads of fields such as opcode or num_sge go beyond the allocated region, causing an out‑of‑bounds read from kernel heap memory. This can leak arbitrary kernel data to userspace, revealing secrets such as passwords, cryptographic keys, or other sensitive information. The kernel also emits a warning when wqe_size is excessively large, a symptom of potential misuse identified by automated testing. The same validation that exists in ib_uverbs_unmarshall_recv() is missing here, leading to a serious information‑disclosure flaw.

Affected Systems

Affects the Linux kernel, specifically the RDMA uverbs driver. No specific kernel versions are listed; the issue has been fixed in recent commits (e.g., 01c9b152). Any system that includes the affected code and interacts with RDMA devices may be vulnerable.

Risk and Exploitability

The flaw is local; an attacker must be able to run a userspace program that invokes the RDMA uverbs interface on the same host. Based on the description, the likely attack vector is through a local userspace program. Because the vulnerability leaks kernel‑heap data, its impact is significant, but no remote code execution or denial‑of‑service has been reported. The EPSS score is not available and the issue is not in the CISA KEV catalog, so the likelihood of exploitation is unknown, yet the potential for information disclosure makes it a high‑severity concern. Applying the kernel patch eliminates the root cause.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c3bea3d2dc5358e05541527283279102383b0231`	affected	< 9c15ec4cd4e7f57c6bbcb4e73e99290f150dd2a7
`c3bea3d2dc5358e05541527283279102383b0231`	affected	< 9b5ac1c15334d46c0dbd49d64a2257b929500163
`c3bea3d2dc5358e05541527283279102383b0231`	affected	< 01c9b152647dc70dc06a4a2eff86ebb3b3c76075
`c3bea3d2dc5358e05541527283279102383b0231`	affected	< bf1feed1a7886af945f92890493aefd2b5c9928a
`c3bea3d2dc5358e05541527283279102383b0231`	affected	< d533425ac1f2925b4fc3e4ed9b9d72362cb23475
`c3bea3d2dc5358e05541527283279102383b0231`	affected	< bf4454da8b1e712714628c0a0d6e7845bb40790a
`c3bea3d2dc5358e05541527283279102383b0231`	affected	< bef70ff9841990658610512b4a18e4a88c9b4df6
`c3bea3d2dc5358e05541527283279102383b0231`	affected	< 1956f0a74ccf5dc9c3ef717f2985c3ed3400aab0

Linux

affected

Version	Status	Constraints
`5.0`	affected	—
`0`	unaffected	< 5.0
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c3bea3d2dc5358e05541527283279102383b0231,9c15ec4cd4e7f57c6bbcb4e73e99290f150dd2a7)`	affected	code_commit	—
`[c3bea3d2dc5358e05541527283279102383b0231,9b5ac1c15334d46c0dbd49d64a2257b929500163)`	affected	code_commit	—
`[c3bea3d2dc5358e05541527283279102383b0231,01c9b152647dc70dc06a4a2eff86ebb3b3c76075)`	affected	code_commit	—
`[c3bea3d2dc5358e05541527283279102383b0231,bf1feed1a7886af945f92890493aefd2b5c9928a)`	affected	code_commit	—
`[c3bea3d2dc5358e05541527283279102383b0231,d533425ac1f2925b4fc3e4ed9b9d72362cb23475)`	affected	code_commit	—
`[c3bea3d2dc5358e05541527283279102383b0231,bf4454da8b1e712714628c0a0d6e7845bb40790a)`	affected	code_commit	—
`[c3bea3d2dc5358e05541527283279102383b0231,bef70ff9841990658610512b4a18e4a88c9b4df6)`	affected	code_commit	—
`[c3bea3d2dc5358e05541527283279102383b0231,1956f0a74ccf5dc9c3ef717f2985c3ed3400aab0)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.0`	affected	semver	—
`[0,5.0)`	unaffected	semver	—
`[5.10.252,5.11.0)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,7.0.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to the latest stable release that includes the commit correcting the wqe_size validation.
Reboot or restart the RDMA subsystem to load the updated kernel and uverbs modules.
Restrict access to the RDMA uverbs device (e.g., /dev/rdma/uverbs) so that only trusted users can interact with it, reducing the attack surface.

Generated by OpenCVE AI on May 27, 2026 at 16:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/01c9b152647dc70dc06a4a2eff86ebb3b3c76075
https://git.kernel.org/stable/c/1956f0a74ccf5dc9c3ef717f2985c3ed3400aab0
https://git.kernel.org/stable/c/9b5ac1c15334d46c0dbd49d64a2257b929500163
https://git.kernel.org/stable/c/9c15ec4cd4e7f57c6bbcb4e73e99290f150dd2a7
https://git.kernel.org/stable/c/bef70ff9841990658610512b4a18e4a88c9b4df6
https://git.kernel.org/stable/c/bf1feed1a7886af945f92890493aefd2b5c9928a
https://git.kernel.org/stable/c/bf4454da8b1e712714628c0a0d6e7845bb40790a
https://git.kernel.org/stable/c/d533425ac1f2925b4fc3e4ed9b9d72362cb23475

History

Wed, 27 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-805

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send ib_uverbs_post_send() uses cmd.wqe_size from userspace without any validation before passing it to kmalloc() and using the allocated buffer as struct ib_uverbs_send_wr. If a user provides a small wqe_size value (e.g., 1), kmalloc() will succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge, and other fields will read beyond the allocated buffer, resulting in an out-of-bounds read from kernel heap memory. This could potentially leak sensitive kernel information to userspace. Additionally, providing an excessively large wqe_size can trigger a WARNING in the memory allocation path, as reported by syzkaller. This is inconsistent with ib_uverbs_unmarshall_recv() which properly validates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before proceeding. Add the same validation for ib_uverbs_post_send() to ensure wqe_size is at least sizeof(struct ib_uverbs_send_wr).
Title		RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/01c9b152647dc70dc06a4a2eff86ebb3b3c76075 https://git.kernel.org/stable/c/1956f0a74ccf5dc9c3ef717f2985c3ed3400aab0 https://git.kernel.org/stable/c/9b5ac1c15334d46c0dbd49d64a2257b929500163 https://git.kernel.org/stable/c/9c15ec4cd4e7f57c6bbcb4e73e99290f150dd2a7 https://git.kernel.org/stable/c/bef70ff9841990658610512b4a18e4a88c9b4df6 https://git.kernel.org/stable/c/bf1feed1a7886af945f92890493aefd2b5c9928a https://git.kernel.org/stable/c/bf4454da8b1e712714628c0a0d6e7845bb40790a https://git.kernel.org/stable/c/d533425ac1f2925b4fc3e4ed9b9d72362cb23475

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:15:33.209Z

Updated: 2026-05-27T12:15:33.209Z

Reserved: 2026-05-13T15:03:33.079Z

Link: CVE-2026-45856

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:57.670

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45856

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T17:00:17Z

Weaknesses

CWE-805

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object