CVE-2026-23243
Description
In the Linux kernel, the following vulnerability has been resolved:
RDMA/umad: Reject negative data_len in ib_umad_write
ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list().
Add an explicit check to reject negative data_len before creating the send buffer.
KASAN splat: [ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [ 211.365867] ib_create_send_mad+0xa01/0x11b0 [ 211.365887] ib_umad_write+0x853/0x1c80
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel RDMA/umad, a missing negative data_len check allows a local attacker to trigger an out-of-bounds write via crafted MAD headers.
Vulnerability
Overview
In the Linux kernel's RDMA subsystem, ib_umad_write computes the data_len parameter from user-controlled count and MAD header sizes. When a user supplies a mismatched MAD header size and RMPP header length, data_len can become negative and is passed to ib_create_send_mad(). This negative value leads to incorrect padding calculations that exceed the segment size, resulting in an out-of-bounds memset in alloc_send_rmpp_list() [1][2][3][3][4].
ExploitationAn attacker with local access and the ability to write to the /dev/infiniband/umad* device can craft a malicious ib_umad_write call. No special privileges beyond write access to the character device are required. The attacker controls the data length through the count argument, and by carefully choosing the MAD header and RMPP header sizes, they can force data_len to become negative [1].
ImpactA successful exploit writes up to 220 bytes of controlled data to a kernel heap buffer outside the allocated region. This out-of-bounds write can corrupt adjacent kernel memory, potentially leading to local privilege escalation or a system crash. The KASAN report confirms a slab-out-of-bounds write in ib_create_send_mad [1].
MitigationThe fix adds an explicit check in ib_umad_write to reject negative data_len values before creating the send buffer, preventing the vulnerability from being reached [1][2][3][4]. The patch has been applied to the stable kernel trees. Users should update to kernels containing the commit 52ab82cc5cf8 or later.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/1371ef6b1ecf3676b8942f5dfb3634fb0648128envd
- git.kernel.org/stable/c/205955f29c26330b1dc7fdeadd5bb97c38e26f56nvd
- git.kernel.org/stable/c/362e45fd9069ffa1523f9f1633b606ebf72060d7nvd
- git.kernel.org/stable/c/52ab82cc5cf8ada5c3fb6ffe8f32fdb2fc27a34bnvd
- git.kernel.org/stable/c/5551b02fdbfd85a325bb857f3a8f9c9f33397ed2nvd
- git.kernel.org/stable/c/6eb2919474ca105c5b13d19574e25f0ddcf19ca2nvd
- git.kernel.org/stable/c/9c80d688f402539dfc8f336de1380d6b4ee14316nvd
- git.kernel.org/stable/c/a6a3e4af10993cb9e4b8f0548680aba0ab5f3b0dnvd
News mentions
0No linked articles in our index yet.