VYPR
High severity7.1NVD Advisory· Published May 27, 2026· Updated Jun 16, 2026

CVE-2026-45994

CVE-2026-45994

Description

In the Linux kernel, the following vulnerability has been resolved:

ibmasm: fix OOB reads in command_file_write due to missing size checks

The command_file_write() handler allocates a kernel buffer of exactly count bytes and copies user data into it, but does not validate the buffer against the dot command protocol before passing it to get_dot_command_size() and get_dot_command_timeout().

Since both the allocation size (count) and the header fields (command_size, data_size) are independently user-controlled, an attacker can cause get_dot_command_size() to return a value exceeding the allocation, triggering OOB reads in get_dot_command_timeout() and an out-of-bounds memcpy_toio() that leaks kernel heap memory to the service processor.

Fix with two guards: reject writes smaller than sizeof(struct dot_command_header) before allocation, then after copying user data reject commands where the buffer is smaller than the total size declared by the header (sizeof(header) + command_size + data_size). This ensures all subsequent header and payload field accesses stay within the buffer.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

8
  • Linux/Kernel7 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=2.6.12.1,<5.10.258
    • cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
    • (no CPE)

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.