CVE-2026-46145
CVE-2026-46145 is a memory corruption vulnerability in the Linux kernel's RDMA/mana driver. An unprivileged local user can manipulate a parameter called rx_hash_key_len from user space to cause an unbounded memory copy operation, corrupting kernel memory. The vulnerability stems from insufficient validation of user-supplied input before it is passed to a memory copy function, creating a path for local privilege escalation or system crash.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-787
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-30
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Validate rx_hash_key_len Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.
12 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The RDMA/mana driver accepts rx_hash_key_len from a user-space API structure without proper bounds validation. This untrusted length value is then used directly in a memcpy operation, enabling a heap or stack buffer overflow within kernel space. The vulnerability is classified as an out-of-bounds write (CWE-787). An attacker with local system access and sufficient privileges to interact with the RDMA interface can supply an arbitrarily large length value, causing memcpy to write beyond allocated buffer boundaries and corrupt adjacent kernel memory.
Business impact
Successful exploitation can result in kernel memory corruption leading to system instability, denial of service, or privilege escalation. An attacker could potentially escalate from a unprivileged local user account to kernel-level code execution, compromising the entire system. For organizations running RDMA-enabled infrastructure—particularly in high-performance computing, data centers, or cloud environments—this vulnerability poses a significant risk to confidentiality, integrity, and availability of affected systems.
Affected systems
The Linux kernel is affected across its various distributions and versions. Any system running a vulnerable kernel version with RDMA/mana driver support and user-space access to RDMA interfaces is at risk. This includes enterprise Linux distributions, cloud platforms, and HPC clusters that rely on RDMA for performance-critical workloads. Organizations should verify which specific kernel versions in their environment contain this vulnerability by cross-referencing their kernel version against Linux kernel security advisories and their distribution's patch schedule.
Exploitability
The vulnerability requires local system access and the ability to make RDMA user-space API calls, limiting the attack surface to authenticated local users. No network-based exploitation is possible. However, the low barrier to crafting a malicious parameter value—simply specifying an oversized length in a user-space structure—makes exploitation straightforward for an attacker with local access. The vulnerability does not require special user privileges beyond the ability to interact with RDMA interfaces, and exploitation is deterministic.
Remediation
Remediation requires applying a kernel patch that adds bounds checking on the rx_hash_key_len parameter before it is used in the memcpy operation. This validates that the length does not exceed the size of the destination buffer. Systems should update to a patched kernel version provided by their Linux distribution. Verify against your vendor's security advisory for specific patched kernel versions applicable to your distribution and release cycle.
Patch guidance
Monitor your Linux distribution's security advisories and kernel update channels for patches addressing CVE-2026-46145. Patches should include explicit bounds validation added to the RDMA/mana driver code. Test patched kernel versions in a non-production environment before rolling out to critical systems, particularly in RDMA-dependent infrastructure. Coordinate kernel updates with scheduled maintenance windows to minimize downtime in high-availability environments.
Detection guidance
Monitor system logs for unexpected kernel errors, memory corruption warnings, or kernel panics on systems with RDMA workloads active. Look for out-of-bounds write warnings from kernel memory protection mechanisms (KASan, KFENCE if enabled). Network-based detection is limited due to the local-only nature of the attack, but behavioral anomalies such as processes gaining unexpected privileges or RDMA daemon crashes may signal exploitation attempts. Review access logs for RDMA driver interface interactions and correlate with timing of system instability.
Why prioritize this
This vulnerability earns HIGH priority due to its local privilege escalation potential, memory corruption capability, and impact on security-critical kernel space. Although it requires local access, the straightforward exploitation method and severe consequences warrant rapid remediation. Organizations running RDMA-enabled systems—particularly in cloud, HPC, or data center environments where multiple tenants or workloads may coexist—should treat this as urgent, as a compromised host can undermine trust across shared infrastructure.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects a local attack vector (AV:L), low attack complexity (AC:L), low privilege requirements (PR:L), and no user interaction needed (UI:N). The impact is severe across all three security properties: confidentiality, integrity, and availability are all marked high (C:H/I:H/A:H), indicating that successful exploitation can lead to full compromise of the affected system. The scope is unchanged (S:U), meaning impact is limited to the vulnerable component itself rather than other systems.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2026-46145 requires local system access and the ability to invoke RDMA user-space API calls. Remote exploitation is not possible. However, in multi-tenant cloud or shared HPC environments, an unprivileged tenant or job user with local system access poses a genuine threat.
What is the difference between this vulnerability and typical buffer overflows?
This vulnerability is an out-of-bounds write triggered by unsanitized user input passed directly to a memory copy function. Unlike many buffer overflows that exploit fixed-size buffer assumptions, this one occurs because the kernel blindly trusts a length parameter from user space without validation, making it particularly dangerous in kernel-space memory regions.
Do I need to take action if RDMA is not in use on my systems?
If your Linux systems do not have RDMA enabled or do not load the mana RDMA driver, you are not exposed to this vulnerability. However, verify your kernel configuration and loaded modules to confirm. When in doubt, apply the patch as part of routine security updates.
What should I prioritize in a large fleet of systems?
Prioritize RDMA-enabled systems first, particularly those in multi-tenant environments or exposed to untrusted users. Test patches in a staging environment to ensure stability with your RDMA workloads before broad deployment. Coordinate with the teams managing those systems to schedule patching during maintenance windows.
This analysis is provided for informational purposes and represents the state of vulnerability intelligence as of the publication date. Verify all technical details, affected versions, and patch availability against official Linux kernel security advisories and your distribution's security bulletins. No exploit code or weaponized proof-of-concept is provided or endorsed. Organizations should validate patch applicability and compatibility in their specific environments before production deployment. SEC.co makes no warranty regarding the completeness or accuracy of this information and recommends consulting official vendor advisories for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10883HIGH
CVE-2026-10883: Type Confusion in Chrome ANGLE Graphics Library | Critical Heap Corruption
- CVE-2026-10897HIGH
CVE-2026-10897: Critical Chrome GPU Sandbox Escape Vulnerability
- CVE-2026-10907HIGH
CVE-2026-10907: Chrome ANGLE Out-of-Bounds Write – Remote Code Execution Risk
- CVE-2026-10941HIGH
CVE-2026-10941: Skia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-46123HIGH
CVE-2026-46123: Linux Kernel Virtio Bluetooth Memory Disclosure Vulnerability
- CVE-2026-46136HIGH
CVE-2026-46136: Linux MT7921 Wi-Fi Driver Buffer Underflow – Patching Guide
- CVE-2021-4478HIGH
CVE-2021-4478: Dräger CC-Vision Buffer Overflow in .gdt File Parsing
- CVE-2025-59605HIGH
CVE-2025-59605: Qualcomm Memory Corruption in Device Identifier Processing