Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-45994— ibmasm: fix OOB reads in command_file_write due to missing size checks

AI Predicted 7.8 Difficulty: Moderate EPSS 0.03% · P10

Affected Version Matrix 18

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< 44ee19422aa82a6847594866de7e5a31e4ef98b3affected
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< 7b8a574da5d7ea99b943f7a3458a17a1d95e8838affected
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< d50e2019c9d7c433f56d9dff65703eb904aa1fb1affected
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< a672682d39dd34e2b5ba4feb436723bed65125ffaffected
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< aefc1a97da17d8309974690c8a03e439a91ebb1caffected
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< ee5737891464030a189837467df3b81a273718adaffected
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< d0fb4d1dc43f8d5179917a2daaa82680993d4cdfaffected
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2< 0eb09f737428e482a32a2e31e5e223f2b35a71d3affected
… +10 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-45994

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
ibmasm: fix OOB reads in command_file_write due to missing size checks
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix OOB reads in command_file_write due to missing size checks The command_file_write() handler allocates a kernel buffer of exactly count bytes and copies user data into it, but does not validate the buffer against the dot command protocol before passing it to get_dot_command_size() and get_dot_command_timeout(). Since both the allocation size (count) and the header fields (command_size, data_size) are independently user-controlled, an attacker can cause get_dot_command_size() to return a value exceeding the allocation, triggering OOB reads in get_dot_command_timeout() and an out-of-bounds memcpy_toio() that leaks kernel heap memory to the service processor. Fix with two guards: reject writes smaller than sizeof(struct dot_command_header) before allocation, then after copying user data reject commands where the buffer is smaller than the total size declared by the header (sizeof(header) + command_size + data_size). This ensures all subsequent header and payload field accesses stay within the buffer.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于ibmasm中command_file_write函数缺少大小检查,可能导致越界读取。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ~ 44ee19422aa82a6847594866de7e5a31e4ef98b3 -
LinuxLinux 2.6.12 -

II. Public POCs for CVE-2026-45994

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-45994

登录查看更多情报信息。

Patches & Fixes for CVE-2026-45994 (8)

Same Patch Batch · Linux · 2026-05-27 · 276 CVEs total

CVE-2026-460399.8 CRITICALrxgk: Fix potential integer overflow in length check
CVE-2026-458989.8 CRITICALRDMA/iwcm: Fix workqueue list corruption by removing work_list
CVE-2026-459889.8 CRITICALrxrpc: Fix re-decryption of RESPONSE packets
CVE-2026-459729.8 CRITICALsmb: client: fix potential UAF and double free in smb2_open_file()
CVE-2026-460439.1 CRITICALRDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
CVE-2026-460568.8 HIGHBluetooth: hci_event: fix potential UAF in SSP passkey handlers
CVE-2026-459458.8 HIGHiommu/vt-d: Fix race condition during PASID entry replacement
CVE-2026-458438.2 HIGHslip: bound decode() reads against the compressed packet length
CVE-2026-460378.2 HIGHipv4: icmp: validate reply type before using icmp_pointers
CVE-2026-460108.1 HIGHrxrpc: Fix error handling in rxgk_extract_token()
CVE-2026-460998.1 HIGHnet: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
CVE-2026-460767.9 HIGHKVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1
CVE-2026-458947.8 HIGHiommu/vt-d: Clear Present bit before tearing down PASID entry
CVE-2026-459597.8 HIGHcrypto: ccp - Fix a crash due to incorrect cleanup usage of kfree
CVE-2026-460117.8 HIGHmedia: mtk-jpeg: fix use-after-free in release path due to uncancelled work
CVE-2026-460157.8 HIGHtcp: call sk_data_ready() after listener migration
CVE-2026-458527.8 HIGHRDMA/rxe: Fix double free in rxe_srq_from_init
CVE-2026-460587.8 HIGHmedia: amphion: Fix race between m2m job_abort and device_run
CVE-2026-458617.8 HIGHgfs2: Fix slab-use-after-free in qd_put
CVE-2026-460537.8 HIGHnet: rds: fix MR cleanup on copy error

Showing top 20 of 276 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-45994

No comments yet

Leave a comment