VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45856

CVE-2026-45856

Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

ib_uverbs_post_send() uses cmd.wqe_size from userspace without any validation before passing it to kmalloc() and using the allocated buffer as struct ib_uverbs_send_wr.

If a user provides a small wqe_size value (e.g., 1), kmalloc() will succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge, and other fields will read beyond the allocated buffer, resulting in an out-of-bounds read from kernel heap memory. This could potentially leak sensitive kernel information to userspace.

Additionally, providing an excessively large wqe_size can trigger a WARNING in the memory allocation path, as reported by syzkaller.

This is inconsistent with ib_uverbs_unmarshall_recv() which properly validates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before proceeding.

Add the same validation for ib_uverbs_post_send() to ensure wqe_size is at least sizeof(struct ib_uverbs_send_wr).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's RDMA/uverbs, ib_uverbs_post_send() lacks validation of wqe_size from userspace, leading to out-of-bounds read or memory allocation warnings.

Vulnerability

The Linux kernel's RDMA subsystem in ib_uverbs_post_send() (drivers/infiniband/core/uverbs_main.c) does not validate the wqe_size field provided by userspace before using it in kmalloc() and accessing the allocated buffer as struct ib_uverbs_send_wr. This affects kernel versions prior to the fix commit [1]. The function ib_uverbs_unmarshall_recv() already validates that wqe_size >= sizeof(struct ib_uverbs_recv_wr), but the send path lacked equivalent checks.

Exploitation

An attacker with local access and the ability to invoke the IB_USER_VERBS_CMD_POST_SEND ioctl can supply a crafted wqe_size value. A small value (e.g., 1) causes kmalloc() to succeed but subsequent reads of user_wr->opcode, user_wr->num_sge, etc. go beyond the allocated buffer, resulting in an out-of-bounds read from kernel heap memory. An excessively large value can trigger a WARNING in the memory allocation path.

Impact

Successful exploitation could lead to disclosure of sensitive kernel heap memory to userspace via the out-of-bounds read. The attacker may obtain information that could aid in further privilege escalation. The vulnerability does not directly allow code execution or privilege escalation, but information leakage is a serious concern.

Mitigation

The fix was committed to the Linux kernel stable tree in commit bef70ff9841990658610512b4a18e4a88c9b4df6 [1]. Users should apply the patch or update to a kernel version containing this fix. No workaround is available; the vulnerability is fixed by validating wqe_size >= sizeof(struct ib_uverbs_send_wr).

References
  1. Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

16
d533425ac1f2

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitYi LiuJan 22, 2026Fixed in 6.12.75via kernel-cna
commit
2 files changed · +8 4
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 535bb99ed9f5fc..2c1eb8a45f673b 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2031,7 +2031,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 535bb99ed9f5fc..2c1eb8a45f673b 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2031,7 +2031,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
9b5ac1c15334

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitYi LiuJan 22, 2026Fixed in 5.15.202via kernel-cna
commit
2 files changed · +8 4
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index de631a6abe48da..754a00e2828bbd 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2031,7 +2031,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index de631a6abe48da..754a00e2828bbd 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2031,7 +2031,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
01c9b152647d

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitYi LiuJan 22, 2026Fixed in 6.1.165via kernel-cna
commit
2 files changed · +8 4
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 33e2fe0facd529..2ed51a7df60fd7 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2030,7 +2030,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 33e2fe0facd529..2ed51a7df60fd7 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2030,7 +2030,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
bf1feed1a788

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitYi LiuJan 22, 2026Fixed in 6.6.128via kernel-cna
commit
2 files changed · +8 4
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 33e2fe0facd529..2ed51a7df60fd7 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2030,7 +2030,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 33e2fe0facd529..2ed51a7df60fd7 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2030,7 +2030,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
bf4454da8b1e

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitYi LiuJan 22, 2026Fixed in 6.18.14via kernel-cna
commit
2 files changed · +8 4
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index ce16404cdfb8cc..3259e9848cc799 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2049,7 +2049,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index ce16404cdfb8cc..3259e9848cc799 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2049,7 +2049,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
bef70ff98419

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitYi LiuJan 22, 2026Fixed in 6.19.4via kernel-cna
commit
2 files changed · +8 4
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index ce16404cdfb8cc..3259e9848cc799 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2049,7 +2049,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index ce16404cdfb8cc..3259e9848cc799 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2049,7 +2049,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
1956f0a74ccf

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitYi LiuJan 22, 2026Fixed in 7.0via kernel-cna
commit
2 files changed · +8 4
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index ce16404cdfb8cc..3259e9848cc799 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2049,7 +2049,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index ce16404cdfb8cc..3259e9848cc799 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2049,7 +2049,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
9c15ec4cd4e7

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitYi LiuJan 22, 2026Fixed in 5.10.252via kernel-cna
commit
2 files changed · +8 4
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 6658de58b5144a..cdcdafee07f688 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2017,7 +2017,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 6658de58b5144a..cdcdafee07f688 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2017,7 +2017,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
bf4454da8b1e

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitYi LiuJan 22, 2026via nvd-ref
commit
2 files changed · +8 4
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index ce16404cdfb8cc..3259e9848cc799 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2049,7 +2049,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index ce16404cdfb8cc..3259e9848cc799 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2049,7 +2049,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
9c15ec4cd4e7

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitYi LiuJan 22, 2026via nvd-ref
commit
2 files changed · +8 4
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 6658de58b5144a..cdcdafee07f688 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2017,7 +2017,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 6658de58b5144a..cdcdafee07f688 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2017,7 +2017,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
bf1feed1a788

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitYi LiuJan 22, 2026via nvd-ref
commit
2 files changed · +8 4
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 33e2fe0facd529..2ed51a7df60fd7 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2030,7 +2030,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 33e2fe0facd529..2ed51a7df60fd7 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2030,7 +2030,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
d533425ac1f2

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitYi LiuJan 22, 2026via nvd-ref
commit
2 files changed · +8 4
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 535bb99ed9f5fc..2c1eb8a45f673b 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2031,7 +2031,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 535bb99ed9f5fc..2c1eb8a45f673b 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2031,7 +2031,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
01c9b152647d

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitYi LiuJan 22, 2026via nvd-ref
commit
2 files changed · +8 4
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 33e2fe0facd529..2ed51a7df60fd7 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2030,7 +2030,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 33e2fe0facd529..2ed51a7df60fd7 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2030,7 +2030,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
9b5ac1c15334

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitYi LiuJan 22, 2026via nvd-ref
commit
2 files changed · +8 4
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index de631a6abe48da..754a00e2828bbd 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2031,7 +2031,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index de631a6abe48da..754a00e2828bbd 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2031,7 +2031,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
bef70ff98419

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitYi LiuJan 22, 2026via nvd-ref
commit
2 files changed · +8 4
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index ce16404cdfb8cc..3259e9848cc799 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2049,7 +2049,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index ce16404cdfb8cc..3259e9848cc799 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2049,7 +2049,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
1956f0a74ccf

RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitYi LiuJan 22, 2026via nvd-ref
commit
2 files changed · +8 4
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index ce16404cdfb8cc..3259e9848cc799 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2049,7 +2049,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg
  • drivers/infiniband/core/uverbs_cmd.c+4 2 modified
    diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index ce16404cdfb8cc..3259e9848cc799 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2049,7 +2049,10 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
-	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
+	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL | __GFP_NOWARN);
 	if (!user_wr)
 		return -ENOMEM;
 
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing validation of userspace-supplied wqe_size in ib_uverbs_post_send() allows out-of-bounds heap read."

Attack vector

An attacker with access to the RDMA uverbs character device can send a crafted `IB_USER_VERBS_CMD_POST_SEND` ioctl with a `wqe_size` value smaller than `sizeof(struct ib_uverbs_send_wr)` (e.g., 1). The kernel allocates a buffer of that undersized size via `kmalloc()`, then reads fields such as `user_wr->opcode` and `user_wr->num_sge` beyond the allocated region, causing an out-of-bounds read from kernel heap memory that could leak sensitive information to userspace [patch_id=2662057]. An excessively large `wqe_size` can also trigger a WARNING in the memory allocation path.

Affected code

The vulnerable function is `ib_uverbs_post_send()` in `drivers/infiniband/core/uverbs_cmd.c`. The function reads `cmd.wqe_size` from userspace and passes it directly to `kmalloc()` without any validation, then uses the allocated buffer as `struct ib_uverbs_send_wr` [patch_id=2662057].

What the fix does

The patch adds a size check before the `kmalloc()` call: if `cmd.wqe_size

Preconditions

  • authAttacker must have access to the RDMA uverbs character device to issue IB_USER_VERBS_CMD_POST_SEND ioctl calls
  • inputAttacker must be able to supply a crafted wqe_size value in the ioctl command buffer

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.