CVE-2026-45994
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk8th percentile - higher than 8% of all known CVEs
Summary
A vulnerability has been identified in the Linux kernel within the command_file_write function, leading to out-of-bounds reads due to missing size checks. An attacker can exploit this flaw to leak kernel memory.
Risk Assessment
This vulnerability may lead to the exposure of sensitive data from kernel memory, posing a serious threat to the integrity and confidentiality of the system.
Recommendation
It is recommended to update the Linux kernel to the latest version that includes fixes for this vulnerability. Additionally, implement further size checks in applications using the command_file_write function.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix OOB reads in command_file_write due to missing size checks The command_file_write() handler allocates a kernel buffer of exactly count bytes and copies user data into it, but does not validate the buffer against the dot command protocol before passing it to get_dot_command_size() and get_dot_command_timeout(). Since both the allocation size (count) and the header fields (command_size, data_size) are independently user-controlled, an attacker can cause get_dot_command_size() to return a value exceeding the allocation, triggering OOB reads in get_dot_command_timeout() and an out-of-bounds memcpy_toio() that leaks kernel heap memory to the service processor. Fix with two guards: reject writes smaller than sizeof(struct dot_command_header) before allocation, then after copying user data reject commands where the buffer is smaller than the total size declared by the header (sizeof(header) + command_size + data_size). This ensures all subsequent header and payload field accesses stay within the buffer.

