Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local access with low privileges (unprivileged AF_RDS sendmsg) suffices; no confidentiality or integrity impact, only deterministic kernel panic DoS.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion
rds_ib_xmit_atomic() always programs a masked atomic opcode (IB_WR_MASKED_ATOMIC_CMP_AND_SWP or IB_WR_MASKED_ATOMIC_FETCH_AND_ADD) for every RDS atomic cmsg. But the completion-side switch in rds_ib_send_unmap_op() only handles the non-masked opcodes, so a masked atomic completion falls through to default and returns rm == NULL while send->s_op is left set. rds_ib_send_cqe_handler() then dereferences the NULL rm via rm->m_final_op, oopsing in softirq context. An unprivileged AF_RDS sendmsg() of an atomic cmsg over an active RDS/IB connection triggers it; on hardware that natively accepts masked atomics (mlx4, mlx5) no extra setup is needed.
RDS/IB: rds_ib_send_unmap_op: unexpected opcode 0xd in WR! Oops: general protection fault [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000190-0x0000000000000197] RIP: rds_ib_send_cqe_handler+0x25c/0xb10 (net/rds/ib_send.c:282) Call Trace: <IRQ> rds_ib_send_cqe_handler (net/rds/ib_send.c:282) poll_scq (net/rds/ib_cm.c:274) rds_ib_tasklet_fn_send (net/rds/ib_cm.c:294) tasklet_action_common (kernel/softirq.c:943) handle_softirqs (kernel/softirq.c:573) run_ksoftirqd (kernel/softirq.c:479) </IRQ> Kernel panic - not syncing: Fatal exception in interrupt
Handle the masked atomic opcodes in the same case as the non-masked ones: they map to the same struct rds_message.atomic union member, so the existing container_of()/rds_ib_send_unmap_atomic() body is correct for them.
AnalysisAI
NULL pointer dereference in the Linux kernel RDS/InfiniBand subsystem allows an unprivileged local user to trigger a kernel panic by sending an atomic cmsg over an active RDS/IB connection. The completion handler rds_ib_send_unmap_op() lacks switch cases for masked atomic opcodes (IB_WR_MASKED_ATOMIC_CMP_AND_SWP, IB_WR_MASKED_ATOMIC_FETCH_AND_ADD), returning rm=NULL while the send operation remains flagged, leading to a fatal NULL dereference at rm->m_final_op in softirq context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Four concurrent conditions must be met: (1) the attacker holds a local unprivileged account with the ability to create AF_RDS sockets - no special privilege escalation is required on default Linux configurations where AF_RDS is accessible; (2) the target system has an mlx4 (Mellanox ConnectX-2/3) or mlx5 (ConnectX-4 and later) InfiniBand adapter installed and the driver loaded - other hardware does not support masked atomic work requests and will not trigger the faulty code path; (3) the rds and rds_rdma kernel modules are loaded and an active RDS/IB connection exists to at least one peer; (4) the kernel version is between 2.6.37 and the relevant patched stable release. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.5 Medium score is appropriate and accurately reflects the constrained scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unprivileged user on a Linux host equipped with an mlx4 or mlx5 InfiniBand adapter opens an AF_RDS socket, establishes a connection to any peer over the active IB fabric, and transmits an atomic cmsg (CMSG_RDS_ATOMIC_CSWP or CMSG_RDS_ATOMIC_FADD). The IB hardware queues a masked atomic work request; upon completion, the kernel's softirq handler dereferences the NULL rm pointer at offset 0x190, triggering an immediate kernel panic and crashing the entire host. … |
| Remediation | Upgrade to a patched stable kernel release: 5.10.259+ for 5.10.x users, 5.15.210+ for 5.15.x, 6.1.176+ for 6.1.x, 6.6.143+ for 6.6.x, 6.12.94+ for 6.12.x, 6.18.36+ for 6.18.x, or 7.0.13+/7.1+ for current trees. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38709
GHSA-v4gx-744x-jr2m