CVE-2026-45994 - Vulnerability Details

- ibmasm: fix OOB reads in command_file_write due to missing size checks

Description

In the Linux kernel, the following vulnerability has been resolved:

ibmasm: fix OOB reads in command_file_write due to missing size checks

The command_file_write() handler allocates a kernel buffer of exactly
count bytes and copies user data into it, but does not validate the
buffer against the dot command protocol before passing it to
get_dot_command_size() and get_dot_command_timeout().

Since both the allocation size (count) and the header fields (command_size,
data_size) are independently user-controlled, an attacker can cause
get_dot_command_size() to return a value exceeding the allocation,
triggering OOB reads in get_dot_command_timeout() and an out-of-bounds
memcpy_toio() that leaks kernel heap memory to the service processor.

Fix with two guards: reject writes smaller than sizeof(struct
dot_command_header) before allocation, then after copying user data
reject commands where the buffer is smaller than the total size declared
by the header (sizeof(header) + command_size + data_size). This ensures
all subsequent header and payload field accesses stay within the buffer.

Published: 2026-05-27

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The ibmasm command_file_write handler allocates a kernel buffer of exactly count bytes for user data but does not validate the dot command header before calling get_dot_command_size() and get_dot_command_timeout(). Because both the allocation size (count) and the header fields (command_size, data_size) are user‑controlled, an attacker can craft a command that causes get_dot_command_size() to return a value larger than the allocated buffer, leading to out‑of‑bounds reads in get_dot_command_timeout() and an out‑of‑bounds memcpy_toio() that leaks kernel heap memory to the service processor. This results in kernel memory disclosure, which could be used to facilitate privilege escalation or further attacks. Based on the description, it is inferred that the vulnerable code is invoked when a user writes to the /dev/ibmasm command file, so the attack requires local write access to that device.

Affected Systems

The vulnerability affects Linux kernels that load the ibmasm module. No specific kernel version is listed, so any kernel installed with the vulnerable ibmasm implementation is potentially impacted.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity. EPSS is not currently available, suggesting no widely publicized exploitation activity. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires write access to /dev/ibmasm, implying a local or user‑level attack vector. No public exploits have been documented, but the risk remains if the ibmasm module is active and accessible to non‑privileged users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 44ee19422aa82a6847594866de7e5a31e4ef98b3
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 7b8a574da5d7ea99b943f7a3458a17a1d95e8838
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d50e2019c9d7c433f56d9dff65703eb904aa1fb1
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< a672682d39dd34e2b5ba4feb436723bed65125ff
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< aefc1a97da17d8309974690c8a03e439a91ebb1c
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< ee5737891464030a189837467df3b81a273718ad
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d0fb4d1dc43f8d5179917a2daaa82680993d4cdf
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 0eb09f737428e482a32a2e31e5e223f2b35a71d3

Linux

affected

Version	Status	Constraints
`2.6.12`	affected	—
`0`	unaffected	< 2.6.12
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:-::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc2::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc3::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc4::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc5::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,a672682d39dd34e2b5ba4feb436723bed65125ff)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,aefc1a97da17d8309974690c8a03e439a91ebb1c)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ee5737891464030a189837467df3b81a273718ad)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d0fb4d1dc43f8d5179917a2daaa82680993d4cdf)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,0eb09f737428e482a32a2e31e5e223f2b35a71d3)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.12`	affected	semver	—
`[0,2.6.12)`	unaffected	generic	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.86,6.13.0)`	unaffected	semver	—
`[6.18.27,6.19.0)`	unaffected	semver	—
`[7.0.4,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor‑provided kernel update that includes the ibmasm out‑of‑bounds read fix
If ibmasm is not required, blacklist or unload the module to remove the attack surface
Restrict write access to /dev/ibmasm by setting appropriate file permissions or using MAC policies such as SELinux or AppArmor so that only privileged users can write

Generated by OpenCVE AI on May 28, 2026 at 04:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00184.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0eb09f737428e482a32a2e31e5e223f2b35a71d3
https://git.kernel.org/stable/c/44ee19422aa82a6847594866de7e5a31e4ef98b3
https://git.kernel.org/stable/c/7b8a574da5d7ea99b943f7a3458a17a1d95e8838
https://git.kernel.org/stable/c/a672682d39dd34e2b5ba4feb436723bed65125ff
https://git.kernel.org/stable/c/aefc1a97da17d8309974690c8a03e439a91ebb1c
https://git.kernel.org/stable/c/d0fb4d1dc43f8d5179917a2daaa82680993d4cdf
https://git.kernel.org/stable/c/d50e2019c9d7c433f56d9dff65703eb904aa1fb1
https://git.kernel.org/stable/c/ee5737891464030a189837467df3b81a273718ad
https://lore.kernel.org/linux-cve-announce/2026052740-CVE-2026-45994-3605@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45994
https://www.cve.org/CVERecord?id=CVE-2026-45994

History

Tue, 16 Jun 2026 14:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125
CPEs		cpe:2.3:o:linux:linux_kernel:2.6.12:-:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc5::::::
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}`

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/44ee19422aa82a6847594866de7e5a31e4ef98b3 https://git.kernel.org/stable/c/7b8a574da5d7ea99b943f7a3458a17a1d95e8838 https://git.kernel.org/stable/c/d50e2019c9d7c433f56d9dff65703eb904aa1fb1

Thu, 28 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-119 CWE-120

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1284
References		https://lore.kernel.org/linux-cve-announce/2026052740-CVE-2026-45994-3605@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45994 https://www.cve.org/CVERecord?id=CVE-2026-45994
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 27 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-120

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix OOB reads in command_file_write due to missing size checks The command_file_write() handler allocates a kernel buffer of exactly count bytes and copies user data into it, but does not validate the buffer against the dot command protocol before passing it to get_dot_command_size() and get_dot_command_timeout(). Since both the allocation size (count) and the header fields (command_size, data_size) are independently user-controlled, an attacker can cause get_dot_command_size() to return a value exceeding the allocation, triggering OOB reads in get_dot_command_timeout() and an out-of-bounds memcpy_toio() that leaks kernel heap memory to the service processor. Fix with two guards: reject writes smaller than sizeof(struct dot_command_header) before allocation, then after copying user data reject commands where the buffer is smaller than the total size declared by the header (sizeof(header) + command_size + data_size). This ensures all subsequent header and payload field accesses stay within the buffer.
Title		ibmasm: fix OOB reads in command_file_write due to missing size checks
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0eb09f737428e482a32a2e31e5e223f2b35a71d3 https://git.kernel.org/stable/c/a672682d39dd34e2b5ba4feb436723bed65125ff https://git.kernel.org/stable/c/aefc1a97da17d8309974690c8a03e439a91ebb1c https://git.kernel.org/stable/c/d0fb4d1dc43f8d5179917a2daaa82680993d4cdf https://git.kernel.org/stable/c/ee5737891464030a189837467df3b81a273718ad

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:55:47.612Z

Updated: 2026-06-14T17:46:55.731Z

Reserved: 2026-05-13T15:03:33.091Z

Link: CVE-2026-45994

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-27T14:17:16.970

Modified: 2026-06-16T13:47:38.047

Link: CVE-2026-45994

Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45994 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T04:45:07Z

Weaknesses

CWE-125
Out-of-bounds Read
CWE-1284
Improper Validation of Specified Quantity in Input

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object