CVE-2026-45994 Overview
CVE-2026-45994 is an out-of-bounds read vulnerability in the Linux kernel's ibmasm driver, which provides support for IBM Advanced System Management hardware. The flaw resides in the command_file_write() handler, where user-supplied data is copied into a kernel buffer without validation against the dot command protocol structure. An attacker with write access to the driver's character device can craft a header that declares a size larger than the allocated buffer, causing get_dot_command_size() and get_dot_command_timeout() to read beyond the allocation. The resulting out-of-bounds memcpy_toio() leaks kernel heap memory to the service processor [CWE-125].
Critical Impact
Local users with access to the ibmasm device can leak adjacent kernel heap memory, potentially exposing sensitive data and aiding subsequent kernel exploitation.
Affected Products
- Linux kernel versions containing the ibmasm driver prior to the fix commits
- Systems with IBM Advanced System Management hardware exposing the command_file_write interface
- Distributions shipping affected stable kernel branches referenced in the kernel.org commits
Discovery Timeline
- 2026-05-27 - CVE-2026-45994 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45994
Vulnerability Analysis
The ibmasm driver implements a character device interface that accepts dot command protocol messages from user space. The command_file_write() handler allocates a kernel buffer sized exactly to the count argument supplied by the caller, then copies user data into it via the standard write path.
The driver subsequently calls get_dot_command_size() and get_dot_command_timeout(), both of which read fields from the dot_command_header structure at the start of the buffer. Neither function validates that the header's command_size and data_size fields describe a region that fits within the allocation.
Because count, command_size, and data_size are independently attacker-controlled, a crafted write can declare a logical size larger than the physical buffer. Subsequent code paths then read past the buffer end and pass the inflated size to memcpy_toio(), transferring kernel heap contents to the service processor.
Root Cause
The root cause is missing size validation between the allocation length and the protocol header fields. The handler trusts that sizeof(header) + command_size + data_size matches count, but never enforces this invariant before dereferencing header-derived offsets.
Attack Vector
Exploitation requires local access to the ibmasm device node. An attacker writes fewer bytes than sizeof(struct dot_command_header) or supplies a header whose declared command_size plus data_size exceeds the allocation. The driver then reads adjacent slab memory and forwards it to the service processor, achieving an information leak across the kernel boundary.
The upstream patch introduces two guards: it rejects writes smaller than sizeof(struct dot_command_header) before allocation, and after the user copy it rejects buffers smaller than sizeof(header) + command_size + data_size. Refer to the kernel commits for the precise fix logic.
Detection Methods for CVE-2026-45994
Indicators of Compromise
- Unexpected writes to /dev/ibmasm* character devices from non-administrative processes
- Kernel log entries referencing command_file_write or ibmasm with malformed-size diagnostics
- Service processor logs showing inbound dot command payloads with inconsistent header sizes
Detection Strategies
- Audit which user accounts and processes hold open handles to the ibmasm device nodes
- Monitor auditd rules covering open and write syscalls against ibmasm device paths
- Compare installed kernel package versions against the fixed stable branches listed in the kernel.org commits
Monitoring Recommendations
- Enable kernel address sanitizer (KASAN) on test systems to surface out-of-bounds reads in command_file_write
- Centralize kernel ring buffer telemetry to detect repeated short or oversized writes to the driver
- Track patch deployment status across fleets running IBM service-processor-equipped hardware
How to Mitigate CVE-2026-45994
Immediate Actions Required
- Apply the stable kernel updates referenced in the Kernel Commit 0eb09f7, Kernel Commit a672682, Kernel Commit aefc1a9, Kernel Commit d0fb4d1, and Kernel Commit ee57378 advisories
- Restrict permissions on ibmasm device nodes to trusted administrative accounts only
- Inventory systems exposing the ibmasm driver and prioritize patching of multi-tenant or shared hosts
Patch Information
The upstream Linux kernel fix adds explicit size validation before and after the user copy in command_file_write(). The patch rejects writes smaller than the dot command header and any buffer whose declared total size exceeds the allocation. Backports are available across multiple stable kernel branches via the five referenced kernel.org commits.
Workarounds
- Unload the ibmasm kernel module on systems that do not require IBM service processor management
- Tighten device node permissions, for example chmod 600 and root ownership, to block unprivileged write access
- Apply mandatory access control policies (SELinux, AppArmor) to confine processes from opening the affected device
# Configuration example: disable the ibmasm module where unused
sudo modprobe -r ibmasm
echo "blacklist ibmasm" | sudo tee /etc/modprobe.d/blacklist-ibmasm.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
