Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Requires local access to RDMA uverbs with existing low privileges (AV:L/PR:L); OOB read leaks kernel memory (C:H) and panic_on_warn forces reboot (A:H) with no integrity impact.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc
The cpu_id attribute supplied by user space through UVERBS_ATTR_ALLOC_DMAH_CPU_ID is passed directly to cpumask_test_cpu() without first verifying that the value is within the valid CPU range.
Passing such untrusted data to cpumask_test_cpu() may lead to an out-of-bounds read of the underlying cpumask bitmap: the helper expands to a test_bit() that indexes the bitmap by cpu_id / BITS_PER_LONG with no bound check.
In addition, on kernels built with CONFIG_DEBUG_PER_CPU_MAPS it trips the WARN_ON_ONCE() in cpumask_check(); combined with panic_on_warn this turns a bad user input into a machine reboot.
Reject any cpu_id that is not smaller than nr_cpu_ids with -EINVAL before it is used.
Reported by Smatch.
AnalysisAI
Local out-of-bounds read in the Linux kernel's RDMA/core subsystem allows a low-privileged user with access to RDMA uverbs to crash the system or leak adjacent kernel memory by supplying an unvalidated cpu_id during DMA handle (DMAH) allocation. The UVERBS_ATTR_ALLOC_DMAH_CPU_ID attribute is passed straight to cpumask_test_cpu() without a bounds check, and on CONFIG_DEBUG_PER_CPU_MAPS kernels combined with panic_on_warn it forces a reboot. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to a host with the Linux RDMA/InfiniBand stack present and the ability to open the uverbs interface (/dev/infiniband/uverbs*), then invoking the DMA handle allocation path with a controlled UVERBS_ATTR_ALLOC_DMAH_CPU_ID value larger than nr_cpu_ids. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H, score 7.1) describes a locally exploitable issue requiring existing low privileges, with high confidentiality and availability impact but no integrity impact - consistent with an out-of-bounds read (potential kernel memory disclosure) plus a denial-of-service crash/reboot path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged local user (or a tenant inside a container granted RDMA device access) opens the RDMA uverbs interface and issues a DMAH allocation with a crafted out-of-range cpu_id. This triggers an out-of-bounds read of the cpumask bitmap, potentially disclosing adjacent kernel memory, and on kernels built with CONFIG_DEBUG_PER_CPU_MAPS and panic_on_warn it reboots the machine, causing denial of service. … |
| Remediation | Vendor-released patch: update to a fixed Linux kernel build - 6.18.36, 7.0.13, or 7.1 (or your distribution's backported equivalent containing the stable fix commits). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify systems running Linux with RDMA/core enabled or RDMA uverbs services exposed. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39278
GHSA-rc47-m48r-2657