{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-45856","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.079Z","datePublished":"2026-05-27T12:15:33.209Z","dateUpdated":"2026-05-30T10:45:33.505Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-30T10:45:33.505Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send\n\nib_uverbs_post_send() uses cmd.wqe_size from userspace without any\nvalidation before passing it to kmalloc() and using the allocated\nbuffer as struct ib_uverbs_send_wr.\n\nIf a user provides a small wqe_size value (e.g., 1), kmalloc() will\nsucceed, but subsequent accesses to user_wr->opcode, user_wr->num_sge,\nand other fields will read beyond the allocated buffer, resulting in\nan out-of-bounds read from kernel heap memory. This could potentially\nleak sensitive kernel information to userspace.\n\nAdditionally, providing an excessively large wqe_size can trigger a\nWARNING in the memory allocation path, as reported by syzkaller.\n\nThis is inconsistent with ib_uverbs_unmarshall_recv() which properly\nvalidates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before\nproceeding.\n\nAdd the same validation for ib_uverbs_post_send() to ensure wqe_size\nis at least sizeof(struct ib_uverbs_send_wr)."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/infiniband/core/uverbs_cmd.c"],"versions":[{"version":"c3bea3d2dc5358e05541527283279102383b0231","lessThan":"9c15ec4cd4e7f57c6bbcb4e73e99290f150dd2a7","status":"affected","versionType":"git"},{"version":"c3bea3d2dc5358e05541527283279102383b0231","lessThan":"9b5ac1c15334d46c0dbd49d64a2257b929500163","status":"affected","versionType":"git"},{"version":"c3bea3d2dc5358e05541527283279102383b0231","lessThan":"01c9b152647dc70dc06a4a2eff86ebb3b3c76075","status":"affected","versionType":"git"},{"version":"c3bea3d2dc5358e05541527283279102383b0231","lessThan":"bf1feed1a7886af945f92890493aefd2b5c9928a","status":"affected","versionType":"git"},{"version":"c3bea3d2dc5358e05541527283279102383b0231","lessThan":"d533425ac1f2925b4fc3e4ed9b9d72362cb23475","status":"affected","versionType":"git"},{"version":"c3bea3d2dc5358e05541527283279102383b0231","lessThan":"bf4454da8b1e712714628c0a0d6e7845bb40790a","status":"affected","versionType":"git"},{"version":"c3bea3d2dc5358e05541527283279102383b0231","lessThan":"bef70ff9841990658610512b4a18e4a88c9b4df6","status":"affected","versionType":"git"},{"version":"c3bea3d2dc5358e05541527283279102383b0231","lessThan":"1956f0a74ccf5dc9c3ef717f2985c3ed3400aab0","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/infiniband/core/uverbs_cmd.c"],"versions":[{"version":"5.0","status":"affected"},{"version":"0","lessThan":"5.0","status":"unaffected","versionType":"semver"},{"version":"5.10.252","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.202","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.165","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.128","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.75","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.14","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.4","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"5.10.252"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"5.15.202"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"6.1.165"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"6.6.128"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"6.12.75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"6.18.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"6.19.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/9c15ec4cd4e7f57c6bbcb4e73e99290f150dd2a7"},{"url":"https://git.kernel.org/stable/c/9b5ac1c15334d46c0dbd49d64a2257b929500163"},{"url":"https://git.kernel.org/stable/c/01c9b152647dc70dc06a4a2eff86ebb3b3c76075"},{"url":"https://git.kernel.org/stable/c/bf1feed1a7886af945f92890493aefd2b5c9928a"},{"url":"https://git.kernel.org/stable/c/d533425ac1f2925b4fc3e4ed9b9d72362cb23475"},{"url":"https://git.kernel.org/stable/c/bf4454da8b1e712714628c0a0d6e7845bb40790a"},{"url":"https://git.kernel.org/stable/c/bef70ff9841990658610512b4a18e4a88c9b4df6"},{"url":"https://git.kernel.org/stable/c/1956f0a74ccf5dc9c3ef717f2985c3ed3400aab0"}],"title":"RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send","x_generator":{"engine":"bippy-1.2.0"}}}}