Skip to main content

Linux Kernel EUVDEUVD-2026-28775

| CVE-2026-43469 HIGH
2026-05-08 Linux GHSA-mxr7-7p5m-m8xr
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:39 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 14:22 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xprtrdma: Decrement re_receiving on the early exit paths

In the event that rpcrdma_post_recvs() fails to create a work request (due to memory allocation failure, say) or otherwise exits early, we should decrement ep->re_receiving before returning. Otherwise we will hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and the completion will never be triggered.

On a system with high memory pressure, this can appear as the following hung task:

INFO: task kworker/u385:17:8393 blocked for more than 122 seconds. Tainted: G S E 6.19.0 #3 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000 Workqueue: xprtiod xprt_autoclose [sunrpc] Call Trace: <TASK> __schedule+0x48b/0x18b0 ? ib_post_send_mad+0x247/0xae0 [ib_core] schedule+0x27/0xf0 schedule_timeout+0x104/0x110 __wait_for_common+0x98/0x180 ? __pfx_schedule_timeout+0x10/0x10 wait_for_completion+0x24/0x40 rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma] xprt_rdma_close+0x12/0x40 [rpcrdma] xprt_autoclose+0x5f/0x120 [sunrpc] process_one_work+0x191/0x3e0 worker_thread+0x2e3/0x420 ? __pfx_worker_thread+0x10/0x10 kthread+0x10d/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x273/0x2b0 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30

AnalysisAI

Denial of service in Linux kernel's xprtrdma subsystem causes system hang when memory allocation fails during RDMA receive buffer posting. Affects NFS over RDMA (RoCE/InfiniBand) deployments running kernel versions 5.13 through 6.19.8, 6.18.18 and earlier, 6.12.77 and earlier, 6.6.129 and earlier, 6.1.166 and earlier, and 5.15.202 and earlier. Systems under high memory pressure can trigger hung tasks in the xprtiod workqueue, requiring reboot to recover. EPSS score of 0.02% suggests low widespread exploitation likelihood. Vendor patches available across all affected stable kernel branches.

Technical ContextAI

The vulnerability resides in the Linux kernel's RPC over RDMA transport implementation (xprtrdma module), specifically in the rpcrdma_post_recvs() function used for NFS over RDMA communications. RDMA (Remote Direct Memory Access) enables direct memory access from one computer to another without OS involvement, commonly used in high-performance NFS deployments over InfiniBand or RoCE networks. The bug involves improper reference counting of the re_receiving counter in struct rpcrdma_ep. When rpcrdma_post_recvs() exits early due to memory allocation failure or other errors, it fails to decrement ep->re_receiving. This creates a resource leak causing rpcrdma_xprt_drain() to wait indefinitely for re_receiving to reach zero during transport shutdown. The counter imbalance prevents completion signaling, resulting in unkillable kernel threads. This is a classic reference counting bug exacerbated by error-path handling gaps, affecting the synchronization primitives used for orderly RDMA transport teardown.

RemediationAI

Apply vendor-released patches from the Linux stable kernel series: upgrade to kernel 6.19.9 or later for mainline, 6.18.19+ for 6.18.x series, 6.12.78+ for 6.12.x, 6.6.130+ for 6.6.x LTS, 6.1.167+ for 6.1.x LTS, or 5.15.203+ for 5.15.x LTS branch. Specific fix commits are available at https://git.kernel.org/stable/c/8127b5fec04757c2a41ed65bca0b3266968efd3b (mainline) and corresponding backports linked in references section. If immediate patching is not feasible, consider compensating controls: switch NFS mounts from RDMA transport to TCP (change mount option from 'rdma' to 'tcp' in /etc/fstab and remount) which eliminates the vulnerable code path entirely - trade-off is reduced throughput in HPC environments but maintains availability. Increase system memory or reduce memory pressure through workload isolation to decrease allocation failure probability, though this only reduces trigger likelihood rather than eliminating the vulnerability. Monitor for hung tasks in xprtiod workqueue via /proc/sys/kernel/hung_task_warnings and kernel logs as early warning signal. No firewall or access control mitigations are applicable as this is a local resource exhaustion issue rather than a network exploit.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28775 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy