{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23243", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.989Z", "datePublished": "2026-03-18T10:05:05.826Z", "dateUpdated": "2026-05-11T22:03:05.550Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:03:05.550Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/umad: Reject negative data_len in ib_umad_write\n\nib_umad_write computes data_len from user-controlled count and the\nMAD header sizes. With a mismatched user MAD header size and RMPP\nheader length, data_len can become negative and reach ib_create_send_mad().\nThis can make the padding calculation exceed the segment size and trigger\nan out-of-bounds memset in alloc_send_rmpp_list().\n\nAdd an explicit check to reject negative data_len before creating the\nsend buffer.\n\nKASAN splat:\n[ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0\n[ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102\n[ 211.365867] ib_create_send_mad+0xa01/0x11b0\n[ 211.365887] ib_umad_write+0x853/0x1c80"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/core/user_mad.c"], "versions": [{"version": "2be8e3ee8efd6f99ce454115c29d09750915021a", "lessThan": "1371ef6b1ecf3676b8942f5dfb3634fb0648128e", "status": "affected", "versionType": "git"}, {"version": "2be8e3ee8efd6f99ce454115c29d09750915021a", "lessThan": "362e45fd9069ffa1523f9f1633b606ebf72060d7", "status": "affected", "versionType": "git"}, {"version": "2be8e3ee8efd6f99ce454115c29d09750915021a", "lessThan": "6eb2919474ca105c5b13d19574e25f0ddcf19ca2", "status": "affected", "versionType": "git"}, {"version": "2be8e3ee8efd6f99ce454115c29d09750915021a", "lessThan": "a6a3e4af10993cb9e4b8f0548680aba0ab5f3b0d", "status": "affected", "versionType": "git"}, {"version": "2be8e3ee8efd6f99ce454115c29d09750915021a", "lessThan": "9c80d688f402539dfc8f336de1380d6b4ee14316", "status": "affected", "versionType": "git"}, {"version": "2be8e3ee8efd6f99ce454115c29d09750915021a", "lessThan": "205955f29c26330b1dc7fdeadd5bb97c38e26f56", "status": "affected", "versionType": "git"}, {"version": "2be8e3ee8efd6f99ce454115c29d09750915021a", "lessThan": "52ab82cc5cf8ada5c3fb6ffe8f32fdb2fc27a34b", "status": "affected", "versionType": "git"}, {"version": "2be8e3ee8efd6f99ce454115c29d09750915021a", "lessThan": "5551b02fdbfd85a325bb857f3a8f9c9f33397ed2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/core/user_mad.c"], "versions": [{"version": "2.6.24", "status": "affected"}, {"version": "0", "lessThan": "2.6.24", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.252", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.202", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.165", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.128", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.75", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.14", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.4", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "5.10.252"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "5.15.202"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.1.165"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.6.128"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.12.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.18.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.19.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1371ef6b1ecf3676b8942f5dfb3634fb0648128e"}, {"url": "https://git.kernel.org/stable/c/362e45fd9069ffa1523f9f1633b606ebf72060d7"}, {"url": "https://git.kernel.org/stable/c/6eb2919474ca105c5b13d19574e25f0ddcf19ca2"}, {"url": "https://git.kernel.org/stable/c/a6a3e4af10993cb9e4b8f0548680aba0ab5f3b0d"}, {"url": "https://git.kernel.org/stable/c/9c80d688f402539dfc8f336de1380d6b4ee14316"}, {"url": "https://git.kernel.org/stable/c/205955f29c26330b1dc7fdeadd5bb97c38e26f56"}, {"url": "https://git.kernel.org/stable/c/52ab82cc5cf8ada5c3fb6ffe8f32fdb2fc27a34b"}, {"url": "https://git.kernel.org/stable/c/5551b02fdbfd85a325bb857f3a8f9c9f33397ed2"}], "title": "RDMA/umad: Reject negative data_len in ib_umad_write", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/umad: Reject negative data_len in ib_umad_write\n\nib_umad_write computes data_len from user-controlled count and the\nMAD header sizes. With a mismatched user MAD header size and RMPP\nheader length, data_len can become negative and reach ib_create_send_mad().\nThis can make the padding calculation exceed the segment size and trigger\nan out-of-bounds memset in alloc_send_rmpp_list().\n\nAdd an explicit check to reject negative data_len before creating the\nsend buffer.\n\nKASAN splat:\n[ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0\n[ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102\n[ 211.365867] ib_create_send_mad+0xa01/0x11b0\n[ 211.365887] ib_umad_write+0x853/0x1c80"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nRDMA/umad: Rechazar data_len negativo en ib_umad_write\n\nib_umad_write calcula data_len a partir de un conteo controlado por el usuario y los tama\u00f1os de encabezado MAD. Con un tama\u00f1o de encabezado MAD de usuario no coincidente y una longitud de encabezado RMPP, data_len puede volverse negativo y alcanzar ib_create_send_mad(). Esto puede hacer que el c\u00e1lculo de relleno exceda el tama\u00f1o del segmento y desencadenar un memset fuera de l\u00edmites en alloc_send_rmpp_list().\n\nSe a\u00f1ade una verificaci\u00f3n expl\u00edcita para rechazar data_len negativo antes de crear el b\u00fafer de env\u00edo.\n\nKASAN splat:\n[ 211.363464] ERROR: KASAN: slab-out-of-bounds en ib_create_send_mad+0xa01/0x11b0\n[ 211.364077] Escritura de tama\u00f1o 220 en la direcci\u00f3n ffff88800c3fa1f8 por la tarea spray_thread/102\n[ 211.365867] ib_create_send_mad+0xa01/0x11b0\n[ 211.365887] ib_umad_write+0x853/0x1c80"}], "id": "CVE-2026-23243", "lastModified": "2026-04-02T15:16:26.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-03-18T11:16:16.090", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1371ef6b1ecf3676b8942f5dfb3634fb0648128e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/205955f29c26330b1dc7fdeadd5bb97c38e26f56"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/362e45fd9069ffa1523f9f1633b606ebf72060d7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/52ab82cc5cf8ada5c3fb6ffe8f32fdb2fc27a34b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5551b02fdbfd85a325bb857f3a8f9c9f33397ed2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6eb2919474ca105c5b13d19574e25f0ddcf19ca2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9c80d688f402539dfc8f336de1380d6b4ee14316"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a6a3e4af10993cb9e4b8f0548680aba0ab5f3b0d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: RDMA/umad: Reject negative data_len in ib_umad_write", "id": "2448594", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448594"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-131", "details": ["No description is available for this CVE."], "name": "CVE-2026-23243", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23243\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23243\nhttps://lore.kernel.org/linux-cve-announce/2026031816-CVE-2026-23243-b88e@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2be8e3ee8efd6f99ce454115c29d09750915021a,1371ef6b1ecf3676b8942f5dfb3634fb0648128e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2be8e3ee8efd6f99ce454115c29d09750915021a,362e45fd9069ffa1523f9f1633b606ebf72060d7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2be8e3ee8efd6f99ce454115c29d09750915021a,6eb2919474ca105c5b13d19574e25f0ddcf19ca2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2be8e3ee8efd6f99ce454115c29d09750915021a,a6a3e4af10993cb9e4b8f0548680aba0ab5f3b0d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2be8e3ee8efd6f99ce454115c29d09750915021a,9c80d688f402539dfc8f336de1380d6b4ee14316)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2be8e3ee8efd6f99ce454115c29d09750915021a,205955f29c26330b1dc7fdeadd5bb97c38e26f56)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2be8e3ee8efd6f99ce454115c29d09750915021a,52ab82cc5cf8ada5c3fb6ffe8f32fdb2fc27a34b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2be8e3ee8efd6f99ce454115c29d09750915021a,5551b02fdbfd85a325bb857f3a8f9c9f33397ed2)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.24"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.24)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.252,5.10.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.202,5.15.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.165,6.1.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.128,6.6.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.75,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.14,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.4,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-02T17:11:35.391891+00:00", "value": {"mitigation_remediation": ["Update the kernel to a version that includes the commit which checks for negative data_len in ib_umad_write. For distributions that cannot immediately upgrade, obtain the patch from the kernel commit referenced in the advisory and apply it to the current kernel source, then rebuild and install the kernel.", "After installing the patched kernel, reboot the system so the new kernel image is used.", "Verify that the patch is active by checking the kernel log for any remaining KASAN or out\u2011of\u2011bounds entries and monitor for kernel crashes."], "summary": {"action": "Patch", "impact": "Kernel memory corruption potentially leading to denial of service or privilege escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in all Linux kernel versions that use the RDMA/umad driver and have not incorporated the patch that rejects negative data_len. Because a particular range of kernel releases is not specified, any kernel build prior to the commit adding the explicit check is potentially vulnerable. Users of distributions that ship RDMA support \u2013 whether kernel 32\u2011bit or 64\u2011bit \u2013 fall into this category unless they have upgraded after the fix.", "description_and_impact": "The Linux kernel contains a flaw in the RDMA/umad subsystem within the ib_umad_write function. When an attacker supplies a user-controlled count that, combined with a mismatched MAD header size and RMPP header length, makes the calculated data_len negative, the kernel will call ib_create_send_mad. This function performs a memset using the negative value, causing an out\u2011of-bounds write that corrupts the kernel\u2019s memory. The failure can trigger a KASAN error and may lead to a crash or give the attacker an opportunity to execute code with kernel privileges.", "risk_and_exploitability": "A severity score of 7.8 indicates a high risk if the flaw is successfully exploited. The likelihood of exploitation is considered low, with an estimated exploit probability below 1\u202f%. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no confirmed exploits in the wild. Attackers would need local access to the affected system; the flaw is triggered by calls from userspace programs that interact with RDMA devices."}}}}, "created": "2026-03-18T12:12:45.989612+00:00", "updated": "2026-04-02T20:23:32.699280+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}