Skip to main content

Linux Kernel CVE-2026-52939

| EUVDEUVD-2026-38709 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-24 Linux GHSA-v4gx-744x-jr2m
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with low privileges (unprivileged AF_RDS sendmsg) suffices; no confidentiality or integrity impact, only deterministic kernel panic DoS.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 19:23 vuln.today
CVSS changed
Jul 08, 2026 - 19:22 NVD
5.5 (MEDIUM)
Patch available
Jun 24, 2026 - 09:16 EUVD
CVE Published
Jun 24, 2026 - 07:14 nvd
MEDIUM 5.5
CVE Published
Jun 24, 2026 - 07:14 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion

rds_ib_xmit_atomic() always programs a masked atomic opcode (IB_WR_MASKED_ATOMIC_CMP_AND_SWP or IB_WR_MASKED_ATOMIC_FETCH_AND_ADD) for every RDS atomic cmsg. But the completion-side switch in rds_ib_send_unmap_op() only handles the non-masked opcodes, so a masked atomic completion falls through to default and returns rm == NULL while send->s_op is left set. rds_ib_send_cqe_handler() then dereferences the NULL rm via rm->m_final_op, oopsing in softirq context. An unprivileged AF_RDS sendmsg() of an atomic cmsg over an active RDS/IB connection triggers it; on hardware that natively accepts masked atomics (mlx4, mlx5) no extra setup is needed.

RDS/IB: rds_ib_send_unmap_op: unexpected opcode 0xd in WR! Oops: general protection fault [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000190-0x0000000000000197] RIP: rds_ib_send_cqe_handler+0x25c/0xb10 (net/rds/ib_send.c:282) Call Trace: <IRQ> rds_ib_send_cqe_handler (net/rds/ib_send.c:282) poll_scq (net/rds/ib_cm.c:274) rds_ib_tasklet_fn_send (net/rds/ib_cm.c:294) tasklet_action_common (kernel/softirq.c:943) handle_softirqs (kernel/softirq.c:573) run_ksoftirqd (kernel/softirq.c:479) </IRQ> Kernel panic - not syncing: Fatal exception in interrupt

Handle the masked atomic opcodes in the same case as the non-masked ones: they map to the same struct rds_message.atomic union member, so the existing container_of()/rds_ib_send_unmap_atomic() body is correct for them.

AnalysisAI

NULL pointer dereference in the Linux kernel RDS/InfiniBand subsystem allows an unprivileged local user to trigger a kernel panic by sending an atomic cmsg over an active RDS/IB connection. The completion handler rds_ib_send_unmap_op() lacks switch cases for masked atomic opcodes (IB_WR_MASKED_ATOMIC_CMP_AND_SWP, IB_WR_MASKED_ATOMIC_FETCH_AND_ADD), returning rm=NULL while the send operation remains flagged, leading to a fatal NULL dereference at rm->m_final_op in softirq context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Open AF_RDS socket on local host
Delivery
Connect to active IB peer
Exploit
Send atomic cmsg (CSWP or FADD)
Install
Masked opcode hits unhandled switch case
C2
rm returned as NULL
Execute
Dereference rm->m_final_op in softirq
Impact
Kernel panic and host reboot

Vulnerability AssessmentAI

Exploitation Four concurrent conditions must be met: (1) the attacker holds a local unprivileged account with the ability to create AF_RDS sockets - no special privilege escalation is required on default Linux configurations where AF_RDS is accessible; (2) the target system has an mlx4 (Mellanox ConnectX-2/3) or mlx5 (ConnectX-4 and later) InfiniBand adapter installed and the driver loaded - other hardware does not support masked atomic work requests and will not trigger the faulty code path; (3) the rds and rds_rdma kernel modules are loaded and an active RDS/IB connection exists to at least one peer; (4) the kernel version is between 2.6.37 and the relevant patched stable release. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.5 Medium score is appropriate and accurately reflects the constrained scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unprivileged user on a Linux host equipped with an mlx4 or mlx5 InfiniBand adapter opens an AF_RDS socket, establishes a connection to any peer over the active IB fabric, and transmits an atomic cmsg (CMSG_RDS_ATOMIC_CSWP or CMSG_RDS_ATOMIC_FADD). The IB hardware queues a masked atomic work request; upon completion, the kernel's softirq handler dereferences the NULL rm pointer at offset 0x190, triggering an immediate kernel panic and crashing the entire host. …
Remediation Upgrade to a patched stable kernel release: 5.10.259+ for 5.10.x users, 5.15.210+ for 5.15.x, 6.1.176+ for 6.1.x, 6.6.143+ for 6.6.x, 6.12.94+ for 6.12.x, 6.18.36+ for 6.18.x, or 7.0.13+/7.1+ for current trees. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52939 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy