{"id":"CVE-2026-45856","summary":"RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send\n\nib_uverbs_post_send() uses cmd.wqe_size from userspace without any\nvalidation before passing it to kmalloc() and using the allocated\nbuffer as struct ib_uverbs_send_wr.\n\nIf a user provides a small wqe_size value (e.g., 1), kmalloc() will\nsucceed, but subsequent accesses to user_wr-\u003eopcode, user_wr-\u003enum_sge,\nand other fields will read beyond the allocated buffer, resulting in\nan out-of-bounds read from kernel heap memory. This could potentially\nleak sensitive kernel information to userspace.\n\nAdditionally, providing an excessively large wqe_size can trigger a\nWARNING in the memory allocation path, as reported by syzkaller.\n\nThis is inconsistent with ib_uverbs_unmarshall_recv() which properly\nvalidates that wqe_size \u003e= sizeof(struct ib_uverbs_recv_wr) before\nproceeding.\n\nAdd the same validation for ib_uverbs_post_send() to ensure wqe_size\nis at least sizeof(struct ib_uverbs_send_wr).","modified":"2026-06-01T03:54:57.223492809Z","published":"2026-05-27T12:15:33.209Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45856.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/01c9b152647dc70dc06a4a2eff86ebb3b3c76075"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1956f0a74ccf5dc9c3ef717f2985c3ed3400aab0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9b5ac1c15334d46c0dbd49d64a2257b929500163"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9c15ec4cd4e7f57c6bbcb4e73e99290f150dd2a7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bef70ff9841990658610512b4a18e4a88c9b4df6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bf1feed1a7886af945f92890493aefd2b5c9928a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bf4454da8b1e712714628c0a0d6e7845bb40790a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d533425ac1f2925b4fc3e4ed9b9d72362cb23475"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45856.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45856"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c3bea3d2dc5358e05541527283279102383b0231"},{"fixed":"9c15ec4cd4e7f57c6bbcb4e73e99290f150dd2a7"},{"fixed":"9b5ac1c15334d46c0dbd49d64a2257b929500163"},{"fixed":"01c9b152647dc70dc06a4a2eff86ebb3b3c76075"},{"fixed":"bf1feed1a7886af945f92890493aefd2b5c9928a"},{"fixed":"d533425ac1f2925b4fc3e4ed9b9d72362cb23475"},{"fixed":"bf4454da8b1e712714628c0a0d6e7845bb40790a"},{"fixed":"bef70ff9841990658610512b4a18e4a88c9b4df6"},{"fixed":"1956f0a74ccf5dc9c3ef717f2985c3ed3400aab0"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45856.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.0.0"},{"fixed":"5.10.252"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.202"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.165"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.128"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.75"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.14"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45856.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"}]}