RDMA/umad: Reject negative data_len in ib_umad_write_CVE-2026-23243

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/umad: Reject negative data_len in ib_umad_write

ib_umad_write computes data_len from user-controlled count and the
MAD header sizes. With a mismatched user MAD header size and RMPP
header length, data_len can become negative and reach ib_create_send_mad().
This can make the padding calculation exceed the segment size and trigger
an out-of-bounds memset in alloc_send_rmpp_list().

Add an explicit check to reject negative data_len before creating the
send buffer.

KASAN splat:
[ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0
[ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102
[ 211.365867] ib_create_send_mad+0xa01/0x11b0
[ 211.365887] ib_umad_write+0x853/0x1c80

Basic Information

ID CVE-2026-23243

Source Linux

Published Mar 18, 2026 at 10:05

Modified Apr 2, 2026 at 14:43

Affected Product

Vendor Linux

Product Linux

Version 2be8e3ee8efd6f99ce454115c29d09750915021a

Affected Versions Linux Linux 2be8e3ee8efd6f99ce454115c29d09750915021a
Linux Linux 2be8e3ee8efd6f99ce454115c29d09750915021a
Linux Linux 2be8e3ee8efd6f99ce454115c29d09750915021a
Linux Linux 2be8e3ee8efd6f99ce454115c29d09750915021a
Linux Linux 2be8e3ee8efd6f99ce454115c29d09750915021a
Linux Linux 2be8e3ee8efd6f99ce454115c29d09750915021a
Linux Linux 2be8e3ee8efd6f99ce454115c29d09750915021a
Linux Linux 2be8e3ee8efd6f99ce454115c29d09750915021a
Linux Linux 2.6.24

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/umad: Reject negative data_len in ib_umad_write\n\nib_umad_write computes data_len from user-controlled count and the\nMAD header sizes. With a mismatched user MAD header size and RMPP\nheader length, data_len can become negative and reach ib_create_send_mad().\nThis can make the padding calculation exceed the segment size and trigger\nan out-of-bounds memset in alloc_send_rmpp_list().\n\nAdd an explicit check to reject negative data_len before creating the\nsend buffer.\n\nKASAN splat:\n[  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0\n[  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102\n[  211.365867] ib_create_send_mad+0xa01/0x11b0\n[  211.365887] ib_umad_write+0x853/0x1c80",
    "published": "2026-03-18T10:05:05.826Z",
    "modified": "2026-04-02T14:43:56.668Z",
    "type": "cve",
    "title": "RDMA/umad: Reject negative data_len in ib_umad_write",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/1371ef6b1ecf3676b8942f5dfb3634fb0648128e\nhttps://git.kernel.org/stable/c/362e45fd9069ffa1523f9f1633b606ebf72060d7\nhttps://git.kernel.org/stable/c/6eb2919474ca105c5b13d19574e25f0ddcf19ca2\nhttps://git.kernel.org/stable/c/a6a3e4af10993cb9e4b8f0548680aba0ab5f3b0d\nhttps://git.kernel.org/stable/c/9c80d688f402539dfc8f336de1380d6b4ee14316\nhttps://git.kernel.org/stable/c/205955f29c26330b1dc7fdeadd5bb97c38e26f56\nhttps://git.kernel.org/stable/c/52ab82cc5cf8ada5c3fb6ffe8f32fdb2fc27a34b\nhttps://git.kernel.org/stable/c/5551b02fdbfd85a325bb857f3a8f9c9f33397ed2",
    "id": "CVE-2026-23243",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 2be8e3ee8efd6f99ce454115c29d09750915021a\nLinux Linux 2be8e3ee8efd6f99ce454115c29d09750915021a\nLinux Linux 2be8e3ee8efd6f99ce454115c29d09750915021a\nLinux Linux 2be8e3ee8efd6f99ce454115c29d09750915021a\nLinux Linux 2be8e3ee8efd6f99ce454115c29d09750915021a\nLinux Linux 2be8e3ee8efd6f99ce454115c29d09750915021a\nLinux Linux 2be8e3ee8efd6f99ce454115c29d09750915021a\nLinux Linux 2be8e3ee8efd6f99ce454115c29d09750915021a\nLinux Linux 2.6.24",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "2be8e3ee8efd6f99ce454115c29d09750915021a",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply