Skip to main content

Linux Kernel CVE-2026-53187

| EUVDEUVD-2026-39278 HIGH
Out-of-bounds Write (CWE-787)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-rc47-m48r-2657
7.1
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
7.1 HIGH

Requires local access to RDMA uverbs with existing low privileges (AV:L/PR:L); OOB read leaks kernel memory (C:H) and panic_on_warn forces reboot (A:H) with no integrity impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:26 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.1 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc

The cpu_id attribute supplied by user space through UVERBS_ATTR_ALLOC_DMAH_CPU_ID is passed directly to cpumask_test_cpu() without first verifying that the value is within the valid CPU range.

Passing such untrusted data to cpumask_test_cpu() may lead to an out-of-bounds read of the underlying cpumask bitmap: the helper expands to a test_bit() that indexes the bitmap by cpu_id / BITS_PER_LONG with no bound check.

In addition, on kernels built with CONFIG_DEBUG_PER_CPU_MAPS it trips the WARN_ON_ONCE() in cpumask_check(); combined with panic_on_warn this turns a bad user input into a machine reboot.

Reject any cpu_id that is not smaller than nr_cpu_ids with -EINVAL before it is used.

Reported by Smatch.

AnalysisAI

Local out-of-bounds read in the Linux kernel's RDMA/core subsystem allows a low-privileged user with access to RDMA uverbs to crash the system or leak adjacent kernel memory by supplying an unvalidated cpu_id during DMA handle (DMAH) allocation. The UVERBS_ATTR_ALLOC_DMAH_CPU_ID attribute is passed straight to cpumask_test_cpu() without a bounds check, and on CONFIG_DEBUG_PER_CPU_MAPS kernels combined with panic_on_warn it forces a reboot. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local low-privileged RDMA device access
Delivery
Open uverbs DMAH alloc interface
Exploit
Submit out-of-range cpu_id attribute
Execution
Trigger out-of-bounds cpumask bitmap read
Impact
Leak kernel memory or panic_on_warn reboot

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to a host with the Linux RDMA/InfiniBand stack present and the ability to open the uverbs interface (/dev/infiniband/uverbs*), then invoking the DMA handle allocation path with a controlled UVERBS_ATTR_ALLOC_DMAH_CPU_ID value larger than nr_cpu_ids. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H, score 7.1) describes a locally exploitable issue requiring existing low privileges, with high confidentiality and availability impact but no integrity impact - consistent with an out-of-bounds read (potential kernel memory disclosure) plus a denial-of-service crash/reboot path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged local user (or a tenant inside a container granted RDMA device access) opens the RDMA uverbs interface and issues a DMAH allocation with a crafted out-of-range cpu_id. This triggers an out-of-bounds read of the cpumask bitmap, potentially disclosing adjacent kernel memory, and on kernels built with CONFIG_DEBUG_PER_CPU_MAPS and panic_on_warn it reboots the machine, causing denial of service. …
Remediation Vendor-released patch: update to a fixed Linux kernel build - 6.18.36, 7.0.13, or 7.1 (or your distribution's backported equivalent containing the stable fix commits). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify systems running Linux with RDMA/core enabled or RDMA uverbs services exposed. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53187 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy