Skip to main content

Linux Kernel CVE-2026-31425

| EUVDEUVD-2026-21950 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-13 Linux GHSA-242h-4qqp-hpg2
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Generated
May 20, 2026 - 18:08 vuln.today
CVSS changed
May 20, 2026 - 18:07 NVD
5.5 (MEDIUM)
Patch released
Apr 18, 2026 - 09:16 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
23e07c340c445f0ebff7757ba15434cb447eb662,450ec93c0f172374acbf236f1f5f02d53650aa2d,6b0a8de67ac0c74e1a7df92b73c862cb36780dfc
EUVD ID Assigned
Apr 13, 2026 - 13:45 euvd
EUVD-2026-21950
CVE Published
Apr 13, 2026 - 13:40 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

rds: ib: reject FRMR registration before IB connection is established

rds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data and passes it to rds_ib_reg_frmr() for FRWR memory registration. On a fresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with i_cm_id = NULL because the connection worker has not yet called rds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with RDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses the control message before any connection establishment, allowing rds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash the kernel.

The existing guard in rds_ib_reg_frmr() only checks for !ic (added in commit 9e630bcb7701), which does not catch this case since ic is allocated early and is always non-NULL once the connection object exists.

KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920 Call Trace: rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167) rds_ib_map_frmr (net/rds/ib_frmr.c:252) rds_ib_reg_frmr (net/rds/ib_frmr.c:430) rds_ib_get_mr (net/rds/ib_rdma.c:615) __rds_rdma_map (net/rds/rdma.c:295) rds_cmsg_rdma_map (net/rds/rdma.c:860) rds_sendmsg (net/rds/send.c:1363) ____sys_sendmsg do_syscall_64

Add a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all non-NULL before proceeding with FRMR registration, mirroring the guard already present in rds_ib_post_inv(). Return -ENODEV when the connection is not ready, which the existing error handling in rds_cmsg_send() converts to -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to start the connection worker.

AnalysisAI

Null pointer dereference in the Linux kernel's RDS-over-InfiniBand (RDS/IB) subsystem allows a local low-privileged user to crash the kernel by sending an RDS_CMSG_RDMA_MAP control message before an IB connection is fully established. The impact is a complete denial of service (kernel panic) with no confidentiality or integrity exposure, scoring CVSS 5.5. No public exploit code has been identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02%, consistent with the specialized InfiniBand hardware prerequisite.

Technical ContextAI

The vulnerability resides in the Reliable Datagram Sockets (RDS) subsystem's InfiniBand transport layer, specifically in rds_ib_get_mr() (net/rds/ib_rdma.c:615) and the downstream rds_ib_post_reg_frmr() (net/rds/ib_frmr.c:167). On a fresh outgoing RDS/IB connection, the rds_ib_connection struct (ic) is allocated by rds_ib_conn_alloc() with i_cm_id = NULL, because the RDMA CM ID is only created later by the connection worker in rds_ib_conn_path_connect(). The existing guard in rds_ib_reg_frmr() only checks for a NULL ic pointer (added in commit 9e630bcb7701), but ic is always non-NULL once the connection object exists - it is ic->i_cm_id that is NULL. When sendmsg() is called with the RDS_CMSG_RDMA_MAP control message type before connection establishment, the FRMR (Fast Registration Memory Region) registration path proceeds through rds_ib_map_frmr()rds_ib_post_reg_frmr(), where it dereferences ic->i_cm_id->qp at offset 0x10-0x17 of a NULL pointer, triggering a KASAN-detected null-ptr-deref and crashing the kernel. CWE-476 (NULL Pointer Dereference) accurately classifies the root cause. CPE data identifies the affected product as cpe:2.3:a:linux:linux:* introduced at commit 1659185fb4d0025835eb2058a141f0746c5cab00, corresponding to Linux 4.6.

RemediationAI

The primary fix is to upgrade the Linux kernel to a patched stable release: 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, or 7.0. Upstream patch commits are available on kernel.org stable trees at the referenced git.kernel.org URLs. Distribution maintainers (Red Hat, Debian, Ubuntu, SUSE, etc.) should be monitored for stable update packages incorporating these commits. As a compensating control where immediate patching is not possible and InfiniBand is not required, administrators can prevent the kernel module from loading by blacklisting the rds_rdma and rds_ib modules (echo 'blacklist rds_rdma' >> /etc/modprobe.d/rds-disable.conf && echo 'blacklist rds_ib' >> /etc/modprobe.d/rds-disable.conf); note this will break any application relying on RDS-over-InfiniBand. If RDS/IB is required, restricting socket creation via seccomp or network namespace isolation to prevent untrusted local users from creating RDS sockets is an alternative mitigation, though implementation complexity is high. No side-channel or privilege escalation risk accompanies the fix.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 12 SP5-LTSS Affected
SUSE Linux Enterprise Server 12 SP5-LTSS Affected
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Affected
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed

Share

CVE-2026-31425 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy