Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-45856

Gravedad CVSS v3.1:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
27/05/2026
Última modificación:
30/05/2026

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send<br /> <br /> ib_uverbs_post_send() uses cmd.wqe_size from userspace without any<br /> validation before passing it to kmalloc() and using the allocated<br /> buffer as struct ib_uverbs_send_wr.<br /> <br /> If a user provides a small wqe_size value (e.g., 1), kmalloc() will<br /> succeed, but subsequent accesses to user_wr-&gt;opcode, user_wr-&gt;num_sge,<br /> and other fields will read beyond the allocated buffer, resulting in<br /> an out-of-bounds read from kernel heap memory. This could potentially<br /> leak sensitive kernel information to userspace.<br /> <br /> Additionally, providing an excessively large wqe_size can trigger a<br /> WARNING in the memory allocation path, as reported by syzkaller.<br /> <br /> This is inconsistent with ib_uverbs_unmarshall_recv() which properly<br /> validates that wqe_size &gt;= sizeof(struct ib_uverbs_recv_wr) before<br /> proceeding.<br /> <br /> Add the same validation for ib_uverbs_post_send() to ensure wqe_size<br /> is at least sizeof(struct ib_uverbs_send_wr).