PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45994 Linux CVE debrief

CVE-2026-45994 is a vulnerability in the Linux kernel's ibmasm driver that could allow out-of-bounds memory reads and information disclosure. The command_file_write() handler failed to validate user-supplied buffer sizes against the dot command protocol header before processing. An attacker with local access could craft malicious input causing get_dot_command_size() to return values exceeding the allocated buffer, leading to out-of-bounds reads in get_dot_command_timeout() and subsequent memcpy_toio() operations that leak kernel heap memory to the service processor. The fix implements two validation guards: rejecting writes smaller than sizeof(struct dot_command_header) before allocation, then after copying user data, rejecting commands where the buffer is smaller than the total declared size (sizeof(header) + command_size + data_size). This vulnerability was published on 2026-05-27 and affects the Linux kernel ibmasm driver. Multiple stable kernel branches have received patches. Organizations running affected kernel versions with the ibmasm driver enabled should prioritize patching, particularly on systems where untrusted users have local access.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux system administrators running kernels with ibmasm driver enabled, particularly on IBM server hardware with Advanced Systems Management capabilities. Security teams managing multi-user Linux environments where untrusted local access is possible. Organizations with compliance requirements for kernel security patching.

Technical summary

The ibmasm driver's command_file_write() function in the Linux kernel failed to validate buffer sizes against the dot command protocol structure. The function allocates a kernel buffer of exactly 'count' bytes from user input without checking minimum header size requirements. After copying user data, it passes the buffer to get_dot_command_size() and get_dot_command_timeout() which read header fields (command_size, data_size) without bounds verification. Since both the allocation size and header fields are attacker-controlled, a malicious user can cause out-of-bounds memory reads and leak kernel heap contents to the service processor via memcpy_toio(). The vulnerability is local-only, requiring ability to write to the ibmasm device interface.

Defensive priority

high

Recommended defensive actions

  • Apply kernel patches from stable branches when available for your distribution
  • Review systems with ibmasm driver enabled, particularly those allowing untrusted local access
  • Consider disabling ibmasm driver if IBM ASM (Advanced Systems Management) hardware is not in use
  • Monitor distribution security advisories for backported fixes
  • Validate kernel version after patching to confirm fix deployment

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Patch commits identified in kernel.org stable repositories. Vendor identification marked as low confidence requiring review due to 'Unknown Vendor' classification in source data.

Official resources

The vulnerability was disclosed on 2026-05-27 with patches available for multiple stable kernel branches. No known exploitation in the wild has been reported.