CVE-2026-23243

high

Published 2026-05-19 · Modified 2026-05-28

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

7.8

Description

In the Linux kernel, the following vulnerability has been resolved: RDMA/umad: Reject negative data_len in ib_umad_write ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list(). Add an explicit check to reject negative data_len before creating the send buffer. KASAN splat: [ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [ 211.365867] ib_create_send_mad+0xa01/0x11b0 [ 211.365887] ib_umad_write+0x853/0x1c80

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description kernel: Linux kernel: Denial of service and memory corruption in RDMA umad Red Hat statement This bug is a kernel out-of-bounds write in the RDMA umad write path caused by a user-controlled length calculation that could underflow and pass an invalid data_len into MAD send buffer creation. A local user with access to the umad interface can trigger the issue by supplying mismatched MAD…

Description

kernel: Linux kernel: Denial of service and memory corruption in RDMA umad

Red Hat statement

This bug is a kernel out-of-bounds write in the RDMA umad write path caused by a user-controlled length calculation that could underflow and pass an invalid data_len into MAD send buffer creation. A local user with access to the umad interface can trigger the issue by supplying mismatched MAD and RMPP header sizes, which leads to an out-of-bounds memset in the send MAD allocation path and can corrupt kernel memory.

CVSS v3: 7.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Enterprise Linux 10	`kernel-0:6.12.0-211.7.1.el10_2`	RHSA-2026:18134	2026-05-19T00:00:00Z
Red Hat Enterprise Linux 10.0 Extended Update Support	`kernel-0:6.12.0-55.72.1.el10_0`	RHSA-2026:15883	2026-05-11T00:00:00Z
Red Hat Enterprise Linux 8.8 Telecommunications Update Service	`kernel-0:4.18.0-477.143.1.el8_8`	RHSA-2026:19521	2026-05-20T00:00:00Z
Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions	`kernel-0:4.18.0-477.143.1.el8_8`	RHSA-2026:19521	2026-05-20T00:00:00Z
Red Hat Enterprise Linux 9	`kernel-0:5.14.0-687.5.1.el9_8`	RHSA-2026:18587	2026-05-19T00:00:00Z
Red Hat Enterprise Linux 9	`kernel-0:5.14.0-687.5.1.el9_8`	RHSA-2026:18587	2026-05-19T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions	`kernel-0:5.14.0-70.178.1.el9_0`	RHSA-2026:13936	2026-05-06T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions	`kernel-rt-0:5.14.0-70.178.1.rt21.250.el9_0`	RHSA-2026:14137	2026-05-06T00:00:00Z
Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions	`kernel-0:5.14.0-284.172.1.el9_2`	RHSA-2026:20593	2026-05-26T00:00:00Z
Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions	`kernel-rt-0:5.14.0-284.172.1.rt14.457.el9_2`	RHSA-2026:19875	2026-05-20T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support	`kernel-0:5.14.0-427.127.1.el9_4`	RHSA-2026:21209	2026-05-27T00:00:00Z
Red Hat Enterprise Linux 9.6 Extended Update Support	`kernel-0:5.14.0-570.112.1.el9_6`	RHSA-2026:14339	2026-05-06T00:00:00Z

Package state

Product	Package	State
Red Hat Enterprise Linux 6	`kernel`	Under investigation
Red Hat Enterprise Linux 7	`kernel`	Affected
Red Hat Enterprise Linux 7	`kernel-rt`	Affected
Red Hat Enterprise Linux 8	`kernel`	Affected
Red Hat Enterprise Linux 8	`kernel-rt`	Affected
Red Hat Enterprise Linux 9	`kernel-rt`	Affected

Apply commands

bash fix

Apply RHSA-2026:18134 for Red Hat Enterprise Linux 10

yum update -y kernel
# or:
dnf upgrade -y kernel

Affected

Vendor	Product	Version
redhat	Red Hat Enterprise Linux 7	`Affected`
redhat	Red Hat Enterprise Linux 7	`Affected`
redhat	Red Hat Enterprise Linux 8	`Affected`
redhat	Red Hat Enterprise Linux 8	`Affected`
redhat	Red Hat Enterprise Linux 9	`Affected`

OS impact

OS	Version	Status	Fixed in
rhel	9	fixed
sles		affected
debian	bookworm	fixed	`6.1.170-1`
debian	forky	fixed	`6.18.14-1`
debian	sid	fixed	`6.18.14-1`
debian	trixie	fixed	`6.12.85-1`
debian	bullseye	fixed	`6.1.170-1~deb11u1`
linux-kernel		affected	`5.10.252`
linux-kernel	2.6.24	affected
almalinux	8	fixed	`kernel-doc-4.18.0-553.126.1.el8_10.noarch.rpm`

References

CWEs

CWE-787

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.