PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23243 Linux CVE debrief

CVE-2026-23243 is a Linux kernel memory-corruption issue in the RDMA/umad path. A user-controlled length calculation in ib_umad_write() can become negative when the MAD header size and RMPP header length do not match. That negative data_len can then reach ib_create_send_mad(), where padding calculations may exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list(). The fix is straightforward: reject negative data_len before creating the send buffer.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-18
Original CVE updated
2026-05-21
Advisory published
2026-03-18
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers and operators running affected RDMA-enabled kernels, especially on systems where local users can reach the UMAD path. This matters most for shared, multi-user, and enterprise/HPC hosts that rely on RDMA.

Technical summary

The issue is a local kernel memory-safety bug in ib_umad_write(). The function derives data_len from user-controlled count and MAD header sizes. Under a mismatched user MAD header size and RMPP header length, data_len can go negative and flow into ib_create_send_mad(). There, the padding calculation can overrun the expected segment bounds, producing an out-of-bounds write in alloc_send_rmpp_list(). The patch adds an explicit guard to reject negative data_len before send-buffer allocation.

Defensive priority

High. NVD assigns CVSS 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), and the bug is in kernel memory handling. Patch promptly on affected systems, with priority for hosts that allow untrusted local access.

Recommended defensive actions

  • Upgrade to a kernel release or vendor backport that includes the fix. NVD lists affected branches as fixed before 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, and 6.19.4.
  • Verify your distribution’s advisory or backport status for CVE-2026-23243; do not rely on upstream branch numbers alone.
  • Review whether RDMA/umad is enabled and whether local users can access the relevant interfaces on production hosts; reduce exposure where policy allows.
  • Treat crashes or KASAN reports mentioning ib_umad_write, ib_create_send_mad, or slab-out-of-bounds as high-priority signals for immediate remediation.

Evidence notes

This debrief is based on the supplied CVE/NVD record and the patch references listed there. The CVE was published on 2026-03-18 and last modified on 2026-05-21; NVD marks the vulnerability as Analyzed. The source description explicitly states the negative data_len path, the KASAN slab-out-of-bounds symptom, and the fix to reject negative data_len. Official NVD references include multiple stable.kernel.org patch links.

Official resources

Publicly disclosed in the CVE/NVD record on 2026-03-18 and updated on 2026-05-21. No KEV listing is included in the supplied data.