Skip to main content

Linux Kernel EUVDEUVD-2026-32435

| CVE-2026-46053 HIGH
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-p6f8-fpcw-hg3g
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:41 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: rds: fix MR cleanup on copy error

__rds_rdma_map() hands sg/pages ownership to the transport after get_mr() succeeds. If copying the generated cookie back to user space fails after that point, the error path must not free those resources again before dropping the MR reference.

Remove the duplicate unpin/free from the put_user() failure branch so that MR teardown is handled only through the existing final cleanup path.

AnalysisAI

Local privilege escalation risk in the Linux kernel's RDS (Reliable Datagram Sockets) subsystem stems from a double-free condition in __rds_rdma_map() when a put_user() copy of the MR cookie fails after get_mr() has transferred sg/pages ownership to the transport. A local authenticated attacker triggering this race or fault path could cause memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis and EPSS is low at 0.02%, but a vendor-released patch is available across multiple stable branches.

Technical ContextAI

The vulnerability lives in net/rds/rdma.c, the Linux kernel's Reliable Datagram Sockets RDMA memory-region (MR) registration path. After get_mr() succeeds, ownership of the scatter-gather list and pinned user pages is transferred to the transport layer; the original error path in __rds_rdma_map() then incorrectly performed an unpin/free on the put_user() failure branch, producing a classic double-free / use-after-free pattern (CWE-415 / CWE-416 class - no CWE was supplied in the input). RDS is a kernel networking protocol primarily used with RDMA-capable hardware (originally Oracle's InfiniBand stack) and is built as the rds and rds_rdma modules; it must be loaded for the vulnerable code path to be reachable. No CPE data was provided, but the EUVD-listed fixes (6.6.140, 6.12.86, 7.0.4, 6.18.27, 7.1-rc1) confirm impact spans the long-term stable trees back to the introducing commit 0d4597c8c5ab.

RemediationAI

Vendor-released patches are available: upgrade to Linux 6.6.140, 6.12.86, 6.18.27, 7.0.4, 7.1-rc1, or later within the matching stable branch, referencing the fix commits at https://git.kernel.org/stable/c/b3cb8cae530b2727d8245684148bb49425f6765c and the four sibling commits listed in the NVD references. If immediate kernel updates are not feasible, the most effective compensating control is to blacklist or unload the rds and rds_rdma modules (e.g., 'install rds /bin/true' in /etc/modprobe.d/), which eliminates the attack surface entirely at the cost of breaking any application that genuinely uses RDS (rare outside specific HPC/Oracle DB deployments). As a secondary control, restrict local shell access and audit which users can open AF_RDS sockets, since the vulnerable path requires invoking the RDS_GET_MR ioctl from userspace.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32435 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy