CVE-2026-46145
Description
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mana: Validate rx_hash_key_len
Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing bounds check on rx_hash_key_len in the Linux kernel's RDMA/mana driver allows local users to overflow kernel memory via crafted uAPI input.
Vulnerability
The vulnerability resides in the Linux kernel's RDMA/mana driver. The rx_hash_key_len field originates from a userspace API (uAPI) structure and is passed directly to memcpy without any bounds validation. This allows a local user with access to the RDMA device to specify an arbitrary length, causing a buffer overflow in kernel memory. All Linux kernel versions prior to the commit [1] are affected.
Exploitation
An attacker requires local access to the system and the ability to interact with the RDMA/mana device via the uAPI. The attacker crafts a malicious uAPI structure with an oversized rx_hash_key_len value. When the driver processes this structure, it copies that many bytes into a fixed-size kernel buffer, overflowing adjacent memory.
Impact
Successful exploitation enables the attacker to corrupt kernel memory, potentially leading to privilege escalation, denial of service, or arbitrary code execution in kernel context. The precise impact depends on the memory layout and the attacker's control over the overflow data.
Mitigation
The fix is included in Linux kernel stable commit [1] (commit 012796f9541fcd0c1fa8ae4da7eb4d83931ef838). Users should update to a kernel version containing this commit. No workaround is available; the vulnerability requires a kernel patch. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) as of publication.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
107d7c9f0fcd19RDMA/mana: Validate rx_hash_key_len
1 file changed · +3 −1
drivers/infiniband/hw/mana/qp.c+3 −1 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index 8009a339bf9ca7..3f5d088ebe407a 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -24,6 +24,9 @@ static int mana_ib_cfg_vport_steering(struct mana_ib_dev *dev, mdev = dev->gdma_dev; gc = mdev->gdma_context; + if (rx_hash_key_len > sizeof(req->hashkey)) + return -EINVAL; + req_buf_size = sizeof(*req) + sizeof(mana_handle_t) * MANA_INDIRECT_TABLE_SIZE; req = kzalloc(req_buf_size, GFP_KERNEL); -- cgit 1.3-korg
6dd2d4ad9c84RDMA/mana: Validate rx_hash_key_len
1 file changed · +3 −1
drivers/infiniband/hw/mana/qp.c+3 −1 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index 645581359cee0b..f7bb0d1f0f8034 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -21,6 +21,9 @@ static int mana_ib_cfg_vport_steering(struct mana_ib_dev *dev, gc = mdev_to_gc(dev); + if (rx_hash_key_len > sizeof(req->hashkey)) + return -EINVAL; + req_buf_size = struct_size(req, indir_tab, MANA_INDIRECT_TABLE_DEF_SIZE); req = kzalloc(req_buf_size, GFP_KERNEL); if (!req) -- cgit 1.3-korg
11c1431d641eRDMA/mana: Validate rx_hash_key_len
1 file changed · +3 −1
drivers/infiniband/hw/mana/qp.c+3 −1 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index 2741eec6f26fad..f3394ded785cc9 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -21,6 +21,9 @@ static int mana_ib_cfg_vport_steering(struct mana_ib_dev *dev, gc = mdev_to_gc(dev); + if (rx_hash_key_len > sizeof(req->hashkey)) + return -EINVAL; + req_buf_size = struct_size(req, indir_tab, MANA_INDIRECT_TABLE_DEF_SIZE); req = kzalloc(req_buf_size, GFP_KERNEL); if (!req) -- cgit 1.3-korg
012796f9541fRDMA/mana: Validate rx_hash_key_len
1 file changed · +3 −1
drivers/infiniband/hw/mana/qp.c+3 −1 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index 67177d92f11a10..f00bf3b015e731 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -21,6 +21,9 @@ static int mana_ib_cfg_vport_steering(struct mana_ib_dev *dev, gc = mdev_to_gc(dev); + if (rx_hash_key_len > sizeof(req->hashkey)) + return -EINVAL; + req_buf_size = struct_size(req, indir_tab, MANA_INDIRECT_TABLE_DEF_SIZE); req = kzalloc(req_buf_size, GFP_KERNEL); if (!req) -- cgit 1.3-korg
7d94f155f354RDMA/mana: Validate rx_hash_key_len
1 file changed · +3 −1
drivers/infiniband/hw/mana/qp.c+3 −1 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index bb1737176e2b42..123e298dcb8566 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -21,6 +21,9 @@ static int mana_ib_cfg_vport_steering(struct mana_ib_dev *dev, gc = mdev_to_gc(dev); + if (rx_hash_key_len > sizeof(req->hashkey)) + return -EINVAL; + req_buf_size = struct_size(req, indir_tab, MANA_INDIRECT_TABLE_DEF_SIZE); req = kzalloc(req_buf_size, GFP_KERNEL); if (!req) -- cgit 1.3-korg
7d7c9f0fcd19RDMA/mana: Validate rx_hash_key_len
1 file changed · +3 −1
drivers/infiniband/hw/mana/qp.c+3 −1 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index 8009a339bf9ca7..3f5d088ebe407a 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -24,6 +24,9 @@ static int mana_ib_cfg_vport_steering(struct mana_ib_dev *dev, mdev = dev->gdma_dev; gc = mdev->gdma_context; + if (rx_hash_key_len > sizeof(req->hashkey)) + return -EINVAL; + req_buf_size = sizeof(*req) + sizeof(mana_handle_t) * MANA_INDIRECT_TABLE_SIZE; req = kzalloc(req_buf_size, GFP_KERNEL); -- cgit 1.3-korg
6dd2d4ad9c84RDMA/mana: Validate rx_hash_key_len
1 file changed · +3 −1
drivers/infiniband/hw/mana/qp.c+3 −1 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index 645581359cee0b..f7bb0d1f0f8034 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -21,6 +21,9 @@ static int mana_ib_cfg_vport_steering(struct mana_ib_dev *dev, gc = mdev_to_gc(dev); + if (rx_hash_key_len > sizeof(req->hashkey)) + return -EINVAL; + req_buf_size = struct_size(req, indir_tab, MANA_INDIRECT_TABLE_DEF_SIZE); req = kzalloc(req_buf_size, GFP_KERNEL); if (!req) -- cgit 1.3-korg
11c1431d641eRDMA/mana: Validate rx_hash_key_len
1 file changed · +3 −1
drivers/infiniband/hw/mana/qp.c+3 −1 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index 2741eec6f26fad..f3394ded785cc9 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -21,6 +21,9 @@ static int mana_ib_cfg_vport_steering(struct mana_ib_dev *dev, gc = mdev_to_gc(dev); + if (rx_hash_key_len > sizeof(req->hashkey)) + return -EINVAL; + req_buf_size = struct_size(req, indir_tab, MANA_INDIRECT_TABLE_DEF_SIZE); req = kzalloc(req_buf_size, GFP_KERNEL); if (!req) -- cgit 1.3-korg
012796f9541fRDMA/mana: Validate rx_hash_key_len
1 file changed · +3 −1
drivers/infiniband/hw/mana/qp.c+3 −1 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index 67177d92f11a10..f00bf3b015e731 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -21,6 +21,9 @@ static int mana_ib_cfg_vport_steering(struct mana_ib_dev *dev, gc = mdev_to_gc(dev); + if (rx_hash_key_len > sizeof(req->hashkey)) + return -EINVAL; + req_buf_size = struct_size(req, indir_tab, MANA_INDIRECT_TABLE_DEF_SIZE); req = kzalloc(req_buf_size, GFP_KERNEL); if (!req) -- cgit 1.3-korg
7d94f155f354RDMA/mana: Validate rx_hash_key_len
1 file changed · +3 −1
drivers/infiniband/hw/mana/qp.c+3 −1 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index bb1737176e2b42..123e298dcb8566 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -21,6 +21,9 @@ static int mana_ib_cfg_vport_steering(struct mana_ib_dev *dev, gc = mdev_to_gc(dev); + if (rx_hash_key_len > sizeof(req->hashkey)) + return -EINVAL; + req_buf_size = struct_size(req, indir_tab, MANA_INDIRECT_TABLE_DEF_SIZE); req = kzalloc(req_buf_size, GFP_KERNEL); if (!req) -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing bounds check on user-supplied rx_hash_key_len allows buffer overflow in memcpy."
Attack vector
An attacker with access to the RDMA character device can craft a uAPI structure with an oversized `rx_hash_key_len` value. This value is then used as the length argument to `memcpy` in `mana_ib_cfg_vport_steering`, copying attacker-controlled data beyond the bounds of the `req->hashkey` buffer into adjacent kernel memory [patch_id=2898307]. No special privileges beyond the ability to submit RDMA uAPI requests are required; the kernel blindly trusts the user-supplied length.
Affected code
The vulnerability resides in the function `mana_ib_cfg_vport_steering` in `drivers/infiniband/hw/mana/qp.c` [patch_id=2898307]. The field `rx_hash_key_len` originates from a user-space API (uAPI) structure and is passed directly to `memcpy` without any bounds checking, allowing an attacker-controlled length to overflow the destination buffer `req->hashkey`.
What the fix does
The patch adds a single bounds check before the `memcpy` call: `if (rx_hash_key_len > sizeof(req->hashkey)) return -EINVAL;` [patch_id=2898307]. This ensures that the user-supplied length does not exceed the capacity of the destination buffer, preventing the buffer overflow. If the check fails, the function returns `-EINVAL` and the `memcpy` is never reached.
Preconditions
- authAttacker must be able to submit RDMA uAPI requests to the mana_ib driver (e.g., via the RDMA character device).
- inputThe attacker controls the rx_hash_key_len field in the uAPI structure passed to the kernel.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/012796f9541fcd0c1fa8ae4da7eb4d83931ef838nvd
- git.kernel.org/stable/c/11c1431d641e0e4e0529e96957995820600c7287nvd
- git.kernel.org/stable/c/6dd2d4ad9c8429523b1c220c5132bd551c006425nvd
- git.kernel.org/stable/c/7d7c9f0fcd19c4d2f0164347c58d49cafa961b72nvd
- git.kernel.org/stable/c/7d94f155f354b961c598f71bafa804dceded513fnvd
News mentions
0No linked articles in our index yet.