Description
In the Linux kernel, the following vulnerability has been resolved:

ibmasm: fix OOB reads in command_file_write due to missing size checks

The command_file_write() handler allocates a kernel buffer of exactly
count bytes and copies user data into it, but does not validate the
buffer against the dot command protocol before passing it to
get_dot_command_size() and get_dot_command_timeout().

Since both the allocation size (count) and the header fields (command_size,
data_size) are independently user-controlled, an attacker can cause
get_dot_command_size() to return a value exceeding the allocation,
triggering OOB reads in get_dot_command_timeout() and an out-of-bounds
memcpy_toio() that leaks kernel heap memory to the service processor.

Fix with two guards: reject writes smaller than sizeof(struct
dot_command_header) before allocation, then after copying user data
reject commands where the buffer is smaller than the total size declared
by the header (sizeof(header) + command_size + data_size). This ensures
all subsequent header and payload field accesses stay within the buffer.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ibmasm command_file_write handler copies user‑supplied data into a kernel buffer that is exactly count bytes long, but it does not validate the dot command header before extracting command_size and data_size. Because both the allocation size and the header fields can be set by the attacker, a crafted command can cause get_dot_command_size() to return a larger value than the buffer, leading to out‑of‑bounds reads in get_dot_command_timeout() and an out‑of‑bounds memcpy_toio() that leaks kernel heap bytes to the service processor. This results in kernel information disclosure that could be used for privilege escalation or further exploitation. Based on the description, it is inferred that the vulnerable code is invoked when a user writes to the /dev/ibmasm command file, so the attack requires local write access to that device.

Affected Systems

The vulnerability affects Linux systems that load the ibmasm kernel module. No specific kernel version is listed, so all kernels running the vulnerable ibmasm implementation are potentially impacted.

Risk and Exploitability

The CVSS score is not provided in the data, and EPSS is not available, indicating that no public exploitation metrics exist. The vulnerability is listed as not in the CISA KEV catalog. Based on the description, it is inferred that exploitation requires write access to the ibmasm command file interface, suggesting a local or user‑level attack vector. No publicly available exploit has been documented, and the risk depends on the presence and configuration of the ibmasm module in the target system.

Generated by OpenCVE AI on May 27, 2026 at 18:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the ibmasm OOB read fix
  • If the ibmasm module is not required for your environment, unload or disable it to eliminate the attack surface
  • Restrict write access to the ibmasm command file interface (e.g., by setting appropriate permissions or using SELinux/AppArmor) so that only privileged users can interact with it

Generated by OpenCVE AI on May 27, 2026 at 18:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-120

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix OOB reads in command_file_write due to missing size checks The command_file_write() handler allocates a kernel buffer of exactly count bytes and copies user data into it, but does not validate the buffer against the dot command protocol before passing it to get_dot_command_size() and get_dot_command_timeout(). Since both the allocation size (count) and the header fields (command_size, data_size) are independently user-controlled, an attacker can cause get_dot_command_size() to return a value exceeding the allocation, triggering OOB reads in get_dot_command_timeout() and an out-of-bounds memcpy_toio() that leaks kernel heap memory to the service processor. Fix with two guards: reject writes smaller than sizeof(struct dot_command_header) before allocation, then after copying user data reject commands where the buffer is smaller than the total size declared by the header (sizeof(header) + command_size + data_size). This ensures all subsequent header and payload field accesses stay within the buffer.
Title ibmasm: fix OOB reads in command_file_write due to missing size checks
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:55:47.612Z

Reserved: 2026-05-13T15:03:33.091Z

Link: CVE-2026-45994

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:16.970

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45994

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T18:45:39Z

Weaknesses