HIGH
rdma HashKey Overflow
CVE-2026-46145
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.0MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Validate rx_hash_key_len Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.
02KernelScan AI Analysis
Risk summary
A buffer overflow in the RDMA mana driver allows privileged local users to corrupt kernel memory by providing an oversized rx_hash_key_len parameter. This can lead to kernel crashes or potential privilege escalation on systems with Microsoft Azure Network Adapter RDMA hardware.
Vulnerability analysis
The vulnerability occurs in mana_ib_cfg_vport_steering() where rx_hash_key_len from userspace is used directly in memcpy() without bounds checking against the destination buffer size (req->hashkey). The fix adds validation to ensure rx_hash_key_len does not exceed sizeof(req->hashkey) before the copy operation. Attack surface is limited to local users with RDMA privileges on systems with MANA hardware.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.88 | 11c1431d641e |
| 6.18 | 6.18.30 | 012796f9541f |
| 6.6 | 6.6.141 | 7d7c9f0fcd19 |
| 7.0 | 7.0.7 | 7d94f155f354 |
| mainline | 7.1-rc3 | 6dd2d4ad9c84 |