Bug 2448594 (CVE-2026-23243) - CVE-2026-23243 kernel: Linux kernel: Denial of service and memory corruption in RDMA umad
Summary: CVE-2026-23243 kernel: Linux kernel: Denial of service and memory corruption ...
Keywords:
Status: NEW
Alias: CVE-2026-23243
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-18 11:02 UTC by OSIDB Bzimport
Modified: 2026-05-20 23:34 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:13936 0 None None None 2026-05-06 08:15:38 UTC
Red Hat Product Errata RHSA-2026:14137 0 None None None 2026-05-06 13:38:11 UTC
Red Hat Product Errata RHSA-2026:14339 0 None None None 2026-05-06 20:41:03 UTC
Red Hat Product Errata RHSA-2026:15883 0 None None None 2026-05-11 00:29:54 UTC
Red Hat Product Errata RHSA-2026:18134 0 None None None 2026-05-19 08:35:02 UTC
Red Hat Product Errata RHSA-2026:18587 0 None None None 2026-05-19 12:49:17 UTC
Red Hat Product Errata RHSA-2026:19521 0 None None None 2026-05-20 04:05:11 UTC
Red Hat Product Errata RHSA-2026:19875 0 None None None 2026-05-20 23:34:06 UTC

Description OSIDB Bzimport 2026-03-18 11:02:26 UTC 
In the Linux kernel, the following vulnerability has been resolved:

RDMA/umad: Reject negative data_len in ib_umad_write

ib_umad_write computes data_len from user-controlled count and the
MAD header sizes. With a mismatched user MAD header size and RMPP
header length, data_len can become negative and reach ib_create_send_mad().
This can make the padding calculation exceed the segment size and trigger
an out-of-bounds memset in alloc_send_rmpp_list().

Add an explicit check to reject negative data_len before creating the
send buffer.

KASAN splat:
[  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0
[  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102
[  211.365867] ib_create_send_mad+0xa01/0x11b0
[  211.365887] ib_umad_write+0x853/0x1c80
Comment 1 Keith Grant 2026-03-18 12:29:32 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026031816-CVE-2026-23243-b88e@gregkh/T
Comment 4 errata-xmlrpc 2026-05-06 08:15:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:13936 https://access.redhat.com/errata/RHSA-2026:13936
Comment 5 errata-xmlrpc 2026-05-06 13:38:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:14137 https://access.redhat.com/errata/RHSA-2026:14137
Comment 6 errata-xmlrpc 2026-05-06 20:41:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:14339 https://access.redhat.com/errata/RHSA-2026:14339
Comment 7 errata-xmlrpc 2026-05-11 00:29:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:15883 https://access.redhat.com/errata/RHSA-2026:15883
Comment 8 errata-xmlrpc 2026-05-19 08:35:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:18134 https://access.redhat.com/errata/RHSA-2026:18134
Comment 9 errata-xmlrpc 2026-05-19 12:49:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:18587 https://access.redhat.com/errata/RHSA-2026:18587
Comment 10 errata-xmlrpc 2026-05-20 04:05:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:19521 https://access.redhat.com/errata/RHSA-2026:19521
Comment 11 errata-xmlrpc 2026-05-20 23:34:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:19875 https://access.redhat.com/errata/RHSA-2026:19875
Note You need to log in before you can comment on or make changes to this bug.