CVE-2026-45994

HIGH EPSS 2.6%
Published May 27, 20261mo ago · Modified Jun 17, 20261w ago
7.1 CVSS 3.1
High
Find Similar
Published May 27, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix OOB reads in command_file_write due to missing size checks The command_file_write() handler allocates a kernel buffer of exactly count bytes and copies user data into it, but does not validate the buffer against the dot command protocol before passing it to get_dot_command_size() and get_dot_command_timeout(). Since both the allocation size (count) and the header fields (command_size, data_size) are independently user-controlled, an attacker can cause get_dot_command_size() to return a value exceeding the allocation, triggering OOB reads in get_dot_command_timeout() and an out-of-bounds memcpy_toio() that leaks kernel heap memory to the service processor. Fix with two guards: reject writes smaller than sizeof(struct dot_command_header) before allocation, then after copying user data reject commands where the buffer is smaller than the total size declared by the header (sizeof(header) + command_size + data_size). This ensures all subsequent header and payload field accesses stay within the buffer.

CVSS Details

Base Score
7.1
Exploitability
1.8
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 12

VendorProductVersionRange
linuxlinux_kernel*≥2.6.12.1  –  <5.10.258
linuxlinux_kernel*≥5.11  –  <5.15.209
linuxlinux_kernel*≥5.16  –  <6.1.175
linuxlinux_kernel*≥6.2  –  <6.6.140
linuxlinux_kernel*≥6.7  –  <6.12.86
linuxlinux_kernel*≥6.13  –  <6.18.27
linuxlinux_kernel*≥6.19  –  <7.0.4
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/0eb09f737428e482a32a2e31e5e223f2b35a71d3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/44ee19422aa82a6847594866de7e5a31e4ef98b3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7b8a574da5d7ea99b943f7a3458a17a1d95e8838
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a672682d39dd34e2b5ba4feb436723bed65125ff
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/aefc1a97da17d8309974690c8a03e439a91ebb1c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d0fb4d1dc43f8d5179917a2daaa82680993d4cdf
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d50e2019c9d7c433f56d9dff65703eb904aa1fb1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ee5737891464030a189837467df3b81a273718ad
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0eb09f737428e482a32a2e31e5e223f2b35a71d3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/44ee19422aa82a6847594866de7e5a31e4ef98b3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7b8a574da5d7ea99b943f7a3458a17a1d95e8838
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a672682d39dd34e2b5ba4feb436723bed65125ff
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/aefc1a97da17d8309974690c8a03e439a91ebb1c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d0fb4d1dc43f8d5179917a2daaa82680993d4cdf
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d50e2019c9d7c433f56d9dff65703eb904aa1fb1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ee5737891464030a189837467df3b81a273718ad
    Patch