Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local RDMA-device access gives PR:L; the IOMMU-enabled, >=4G-block prerequisites make it AC:H; DMA-address corruption supports C/I/A:H within an unchanged scope.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
RDMA/umem: Fix truncation for block sizes >= 4G
When the iommu is used the linearization of the mapping can give a single block that is very large split across multiple SG entries.
When __rdma_block_iter_next() reassembles the split SG entries it is overflowing the 32 bit stack values and computed the wrong DMA addresses for blocks after the truncation.
Use the right types to hold DMA addresses.
AnalysisAI
Memory corruption in the Linux kernel's RDMA/umem subsystem occurs because __rdma_block_iter_next() uses 32-bit types to reassemble scatter-gather entries, truncating DMA addresses for block sizes of 4GB or larger when an IOMMU linearizes the mapping. Affected versions span the long-lived 5.2 through 7.1 development line; a low-privileged local actor with RDMA device access can drive the kernel to compute wrong DMA addresses, yielding high confidentiality, integrity, and availability impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local access (CVSS AV:L) with at least low privileges (PR:L) sufficient to access RDMA verbs/devices, plus three concrete environmental prerequisites named in the description: (1) the kernel's RDMA/InfiniBand stack is in use, (2) an IOMMU is active and linearizes the mapping into a single large block split across multiple SG entries, and (3) a memory registration with a block size of 4GB (>= 2^32 bytes) or larger so the truncation boundary is crossed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are internally consistent and point to a genuine but specialized issue rather than a mass-exploitation priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who already has local, low-privileged access to a host with RDMA hardware and an enabled IOMMU registers a user memory region of 4GB or larger, causing the kernel to linearize it into a large block split across SG entries. The 32-bit truncation in __rdma_block_iter_next() then programs the device with incorrect DMA addresses for blocks past the 2^32 boundary, steering DMA reads/writes to unintended physical memory and producing corruption or disclosure. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel for your series - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 or later - using your distribution's backport once available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory Linux systems running kernel 5.2 through 7.1 with RDMA subsystem enabled; identify users and services with RDMA device access capabilities. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-681 – Incorrect Conversion between Numeric Types
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39338
GHSA-5rwx-cqg3-893x