RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send_CVE-2026-45856

7.1 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

ib_uverbs_post_send() uses cmd.wqe_size from userspace without any
validation before passing it to kmalloc() and using the allocated
buffer as struct ib_uverbs_send_wr.

If a user provides a small wqe_size value (e.g., 1), kmalloc() will
succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge,
and other fields will read beyond the allocated buffer, resulting in
an out-of-bounds read from kernel heap memory. This could potentially
leak sensitive kernel information to userspace.

Additionally, providing an excessively large wqe_size can trigger a
WARNING in the memory allocation path, as reported by syzkaller.

This is inconsistent with ib_uverbs_unmarshall_recv() which properly
validates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before
proceeding.

Add the same validation for ib_uverbs_post_send() to ensure wqe_size
is at least sizeof(struct ib_uverbs_send_wr).

Basic Information

ID CVE-2026-45856

Source Linux

Published May 27, 2026 at 12:15

Modified May 30, 2026 at 10:45

Affected Product

Vendor Linux

Product Linux

Version c3bea3d2dc5358e05541527283279102383b0231

Affected Versions Linux Linux c3bea3d2dc5358e05541527283279102383b0231
Linux Linux c3bea3d2dc5358e05541527283279102383b0231
Linux Linux c3bea3d2dc5358e05541527283279102383b0231
Linux Linux c3bea3d2dc5358e05541527283279102383b0231
Linux Linux c3bea3d2dc5358e05541527283279102383b0231
Linux Linux c3bea3d2dc5358e05541527283279102383b0231
Linux Linux c3bea3d2dc5358e05541527283279102383b0231
Linux Linux c3bea3d2dc5358e05541527283279102383b0231
Linux Linux 5.0

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send\n\nib_uverbs_post_send() uses cmd.wqe_size from userspace without any\nvalidation before passing it to kmalloc() and using the allocated\nbuffer as struct ib_uverbs_send_wr.\n\nIf a user provides a small wqe_size value (e.g., 1), kmalloc() will\nsucceed, but subsequent accesses to user_wr->opcode, user_wr->num_sge,\nand other fields will read beyond the allocated buffer, resulting in\nan out-of-bounds read from kernel heap memory. This could potentially\nleak sensitive kernel information to userspace.\n\nAdditionally, providing an excessively large wqe_size can trigger a\nWARNING in the memory allocation path, as reported by syzkaller.\n\nThis is inconsistent with ib_uverbs_unmarshall_recv() which properly\nvalidates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before\nproceeding.\n\nAdd the same validation for ib_uverbs_post_send() to ensure wqe_size\nis at least sizeof(struct ib_uverbs_send_wr).",
    "published": "2026-05-27T12:15:33.209Z",
    "modified": "2026-05-30T10:45:33.505Z",
    "type": "cve",
    "title": "RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/9c15ec4cd4e7f57c6bbcb4e73e99290f150dd2a7\nhttps://git.kernel.org/stable/c/9b5ac1c15334d46c0dbd49d64a2257b929500163\nhttps://git.kernel.org/stable/c/01c9b152647dc70dc06a4a2eff86ebb3b3c76075\nhttps://git.kernel.org/stable/c/bf1feed1a7886af945f92890493aefd2b5c9928a\nhttps://git.kernel.org/stable/c/d533425ac1f2925b4fc3e4ed9b9d72362cb23475\nhttps://git.kernel.org/stable/c/bf4454da8b1e712714628c0a0d6e7845bb40790a\nhttps://git.kernel.org/stable/c/bef70ff9841990658610512b4a18e4a88c9b4df6\nhttps://git.kernel.org/stable/c/1956f0a74ccf5dc9c3ef717f2985c3ed3400aab0",
    "id": "CVE-2026-45856",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux c3bea3d2dc5358e05541527283279102383b0231\nLinux Linux c3bea3d2dc5358e05541527283279102383b0231\nLinux Linux c3bea3d2dc5358e05541527283279102383b0231\nLinux Linux c3bea3d2dc5358e05541527283279102383b0231\nLinux Linux c3bea3d2dc5358e05541527283279102383b0231\nLinux Linux c3bea3d2dc5358e05541527283279102383b0231\nLinux Linux c3bea3d2dc5358e05541527283279102383b0231\nLinux Linux c3bea3d2dc5358e05541527283279102383b0231\nLinux Linux 5.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "c3bea3d2dc5358e05541527283279102383b0231",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply