PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45856 Linux CVE debrief

CVE-2026-45856 is a vulnerability in the Linux kernel's RDMA/uverbs subsystem where `ib_uverbs_post_send()` fails to validate the `wqe_size` parameter from userspace before using it for memory allocation and subsequent structure access. An attacker providing a small `wqe_size` value causes out-of-bounds reads from kernel heap memory when accessing fields like `user_wr->opcode` and `user_wr->num_sge`, potentially leaking sensitive kernel information. Excessively large values trigger memory allocation warnings. The fix adds validation to ensure `wqe_size` is at least `sizeof(struct ib_uverbs_send_wr)`, matching the existing validation in `ib_uverbs_unmarshall_recv()`.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Linux systems with RDMA hardware (InfiniBand, RoCE, iWARP) and unprivileged user namespaces enabled; cloud providers offering RDMA-capable instances; HPC environments utilizing kernel-based RDMA verbs interfaces.

Technical summary

The vulnerability exists in `drivers/infiniband/core/uverbs_cmd.c` in the `ib_uverbs_post_send()` function. The function receives `cmd.wqe_size` from userspace via the `struct ib_uverbs_post_send` command without validation. This value is passed directly to `kmalloc()` to allocate a buffer for unmarshalling work requests. When a small `wqe_size` (e.g., 1 byte) is provided, `kmalloc()` succeeds but subsequent field accesses to `user_wr->opcode`, `user_wr->num_sge`, and other `struct ib_uverbs_send_wr` members read beyond the allocated buffer. This constitutes an out-of-bounds read from kernel heap memory, potentially disclosing sensitive information to unprivileged userspace. The fix introduces a validation check ensuring `wqe_size >= sizeof(struct ib_uverbs_send_wr)` before allocation, consistent with the existing validation pattern in `ib_uverbs_unmarshall_recv()`.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates containing the fix for CVE-2026-45856 when available from your Linux distribution
  • Monitor stable kernel releases for backported patches to affected versions
  • Review systems utilizing RDMA (InfiniBand, RoCE, iWARP) for potential exposure
  • Consider restricting unprivileged access to RDMA devices where feasible
  • Enable kernel memory hardening features (KASAN, KFENCE) to detect similar issues during testing

Evidence notes

The vulnerability description indicates this was discovered through syzkaller fuzzing, which reported memory allocation warnings for large `wqe_size` values. The fix adds a size validation check before `kmalloc()` in `ib_uverbs_post_send()`. Multiple stable kernel branches received backports as evidenced by eight distinct git.kernel.org stable commits.

Official resources

2026-05-27