2448594 – (CVE-2026-23243) CVE-2026-23243 kernel: Linux kernel: Denial of service and memory corruption in RDMA umad

Bug 2448594 (CVE-2026-23243) - CVE-2026-23243 kernel: Linux kernel: Denial of service and memory corruption in RDMA umad

Summary: CVE-2026-23243 kernel: Linux kernel: Denial of service and memory corruption ...

Keywords:
Status:	NEW
Alias:	CVE-2026-23243
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-18 11:02 UTC by OSIDB Bzimport
Modified:	2026-03-19 02:15 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-18 11:02:26 UTC

In the Linux kernel, the following vulnerability has been resolved:

RDMA/umad: Reject negative data_len in ib_umad_write

ib_umad_write computes data_len from user-controlled count and the
MAD header sizes. With a mismatched user MAD header size and RMPP
header length, data_len can become negative and reach ib_create_send_mad().
This can make the padding calculation exceed the segment size and trigger
an out-of-bounds memset in alloc_send_rmpp_list().

Add an explicit check to reject negative data_len before creating the
send buffer.

KASAN splat:
[  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0
[  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102
[  211.365867] ib_create_send_mad+0xa01/0x11b0
[  211.365887] ib_umad_write+0x853/0x1c80

Comment 1 Keith Grant 2026-03-18 12:29:32 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026031816-CVE-2026-23243-b88e@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.