CVE-2026-23243 in Linux
Summary
by MITRE • 03/18/2026
In the Linux kernel, the following vulnerability has been resolved:
RDMA/umad: Reject negative data_len in ib_umad_write
ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list().
Add an explicit check to reject negative data_len before creating the send buffer.
KASAN splat: [ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0
[ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102
[ 211.365867] ib_create_send_mad+0xa01/0x11b0
[ 211.365887] ib_umad_write+0x853/0x1c80
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/21/2026
This vulnerability exists within the Linux kernel's RDMA/umad subsystem where the ib_umad_write function fails to properly validate user-controlled input parameters. The flaw occurs when processing InfiniBand Management Datagram (MAD) packets where the data_len calculation becomes negative due to a mismatch between user-provided MAD header size and RMPP header length. This negative value propagates through the call stack to ib_create_send_mad() function, creating a critical buffer overflow condition.
The technical implementation involves the computation of data_len based on user-controllable count values and MAD header sizes, which when improperly aligned can produce negative results. This negative data_len value then gets passed to alloc_send_rmpp_list() where padding calculations exceed segment boundaries, leading to an out-of-bounds memset operation. The kernel's KASAN (Kernel Address Sanitizer) detection confirms this as a slab-out-of-bounds write error, specifically targeting address ff ff f f 8 8 8 0 0 c 3 f a 1 f 8 with a write size of 220 bytes.
This vulnerability represents a classic buffer overflow condition that can be exploited to cause denial of service or potentially enable privilege escalation within the kernel context. The flaw directly maps to CWE-129, which addresses insufficient input validation, and CWE-787, covering out-of-bounds write conditions. From an operational perspective, this issue affects systems running Linux kernels with RDMA capabilities, particularly those utilizing the umad (user-mode MAD) interface for InfiniBand management operations.
The exploitation potential stems from the ability of a malicious user to craft specially formatted MAD packets that trigger the negative length calculation, making this a remote code execution risk in environments where untrusted users can access RDMA interfaces. The vulnerability aligns with ATT&CK technique T1068, which covers local privilege escalation through kernel vulnerabilities, and T1499, covering network denial of service attacks against kernel components.
Mitigation strategies include applying the kernel patch that implements explicit validation of data_len before buffer creation, ensuring that negative values are rejected at the function entry point. System administrators should prioritize updating affected kernel versions and implementing network segmentation to limit access to RDMA interfaces. Additionally, monitoring for KASAN reports and suspicious memory access patterns can help detect exploitation attempts, while disabling unnecessary RDMA functionality reduces the attack surface.