CVE-2026-45856: RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send
In the Linux kernel, the following vulnerability has been resolved: RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send ib_uverbs_post_send() uses cmd.wqe_size from userspace without any validation before passing it to kmalloc() and using the allocated buffer as struct ib_uverbs_send_wr. If a user provides a small wqe_size value (e.g., 1), kmalloc() will succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge, and other fields will read beyond the allocated buffer, resulting in an out-of-bounds read from kernel heap memory. This could potentially leak sensitive kernel information to userspace. Additionally, providing an excessively large wqe_size can trigger a WARNING in the memory allocation path, as reported by syzkaller. This is inconsistent with ib_uverbs_unmarshall_recv() which properly validates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before proceeding. Add the same validation for ib_uverbs_post_send() to ensure wqe_size is at least sizeof(struct ib_uverbs_send_wr).
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
Fix available
- Linux / Linux< 9c15ec4cd4e7f57c6bbcb4e73e99290f150dd2a7 (from c3bea3d2dc5358e05541527283279102383b0231) · < 9b5ac1c15334d46c0dbd49d64a2257b929500163 (from c3bea3d2dc5358e05541527283279102383b0231) · < 01c9b152647dc70dc06a4a2eff86ebb3b3c76075 (from c3bea3d2dc5358e05541527283279102383b0231) · < bf1feed1a7886af945f92890493aefd2b5c9928a (from c3bea3d2dc5358e05541527283279102383b0231) · < d533425ac1f2925b4fc3e4ed9b9d72362cb23475 (from c3bea3d2dc5358e05541527283279102383b0231) · < bf4454da8b1e712714628c0a0d6e7845bb40790a (from c3bea3d2dc5358e05541527283279102383b0231)
- Linux / Linux5.0Fixed in 0, 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H