HOMEVULNERABILITIESCVE-2026-45994
NONE

CVE-2026-45994

Published: May 27, 2026· Updated: Jun 1, 2026

Official Description

In the Linux kernel, the following vulnerability has been resolved:

ibmasm: fix OOB reads in command_file_write due to missing size checks

The command_file_write() handler allocates a kernel buffer of exactly

count bytes and copies user data into it, but does not validate the

buffer against the dot command protocol before passing it to

get_dot_command_size() and get_dot_command_timeout().

Since both the allocation size (count) and the header fields (command_size,

data_size) are independently user-controlled, an attacker can cause

get_dot_command_size() to return a value exceeding the allocation,

triggering OOB reads in get_dot_command_timeout() and an out-of-bounds

memcpy_toio() that leaks kernel heap memory to the service processor.

Fix with two guards: reject writes smaller than sizeof(struct

dot_command_header) before allocation, then after copying user data

reject commands where the buffer is smaller than the total size declared

by the header (sizeof(header) + command_size + data_size). This ensures

all subsequent header and payload field accesses stay within the buffer.

NVD Source

Technical Analysis

CVE-2026-45994 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2026-45994
SeverityNONE
CISA KEVNo
PublishedMay 27, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-45994 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.