Skip to main content

Linux Kernel EUVDEUVD-2026-38863

| CVE-2026-52995 MEDIUM
2026-06-24 Linux GHSA-735g-xvv4-mj9w
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local low-privilege access required; sole impact is kernel stack pointer disclosure enabling KASLR bypass, with no integrity or availability consequence.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 15, 2026 - 15:16 vuln.today
CVSS changed
Jul 15, 2026 - 13:07 NVD
5.5 (MEDIUM)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 nvd
MEDIUM 5.5
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net/rds: zero per-item info buffer before handing it to visitors

rds_for_each_conn_info() and rds_walk_conn_path_info() both hand a caller-allocated on-stack u64 buffer to a per-connection visitor and then copy the full item_len bytes back to user space via rds_info_copy() regardless of how much of the buffer the visitor actually wrote.

rds_ib_conn_info_visitor() and rds6_ib_conn_info_visitor() only write a subset of their output struct when the underlying rds_connection is not in state RDS_CONN_UP (src/dst addr, tos, sl and the two GIDs via explicit memsets). Several u32 fields (max_send_wr, max_recv_wr, max_send_sge, rdma_mr_max, rdma_mr_size, cache_allocs) and the 2-byte alignment hole between sl and cache_allocs remain as whatever stack contents preceded the visitor call and are then memcpy_to_user()'d out to user space.

struct rds_info_rdma_connection and struct rds6_info_rdma_connection are the only rds_info_* structs in include/uapi/linux/rds.h that are not marked __attribute__((packed)), so they have a real alignment hole. The other info visitors (rds_conn_info_visitor, rds6_conn_info_visitor, rds_tcp_tc_info, ...) write all fields of their packed output struct today and are not known to be vulnerable, but a future visitor that adds a conditional write-path would have the same bug.

Reproduction on a kernel built without CONFIG_INIT_STACK_ALL_ZERO=y: a local unprivileged user opens AF_RDS, sets SO_RDS_TRANSPORT=IB, binds to a local address on an RDMA-capable netdev (rxe soft-RoCE on any netdev is sufficient), sendto()'s any peer on the same subnet (fails cleanly but installs an rds_connection in the global hash in RDS_CONN_CONNECTING), then calls getsockopt(SOL_RDS, RDS_INFO_IB_CONNECTIONS). The returned 68-byte item contains 26 bytes of stack garbage including kernel text/data pointers:

0..7 0a 63 00 01 0a 63 00 02 src=10.99.0.1 dst=10.99.0.2 8..39 00 ... gids (memset-zeroed) 40..47 e0 92 a3 81 ff ff ff ff kernel pointer (max_send_wr) 48..55 7f 37 b5 81 ff ff ff ff kernel pointer (rdma_mr_max) 56..59 01 00 08 00 rdma_mr_size (garbage) 60..61 00 00 tos, sl 62..63 00 00 alignment padding 64..67 18 00 00 00 cache_allocs (garbage)

Fix by zeroing the per-item buffer in both rds_for_each_conn_info() and rds_walk_conn_path_info() before invoking the visitor. This covers the IPv4/IPv6 IB visitors and hardens all current and future visitors against the same class of bug.

No functional change for visitors that fully populate their output.

Changes in v2:

  • retarget at the net tree (subject prefix "[PATCH net v2]",

net/rds: prefix in the title)

  • pick up Reviewed-by tags from Sharath Srinivasan and

Allison Henderson

AnalysisAI

Stack memory disclosure in the Linux kernel RDS/IB subsystem exposes up to 26 bytes of uninitialized kernel stack contents - including kernel text and data pointers - to local unprivileged users via the getsockopt(SOL_RDS, RDS_INFO_IB_CONNECTIONS) interface. The leak enables KASLR bypass on systems where the kernel was built without CONFIG_INIT_STACK_ALL_ZERO=y, making this a useful primitive for chaining into privilege escalation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Open AF_RDS socket with SO_RDS_TRANSPORT=IB
Delivery
Bind to local RDMA-capable interface address
Exploit
Issue sendto() to any peer (fails, installs RDS_CONN_CONNECTING in kernel hash)
Execution
Call getsockopt(SOL_RDS, RDS_INFO_IB_CONNECTIONS)
Persist
Parse 68-byte response for uninitialized stack bytes at offsets 40-55
Impact
Extract kernel text/data pointers to compute KASLR slide

Vulnerability AssessmentAI

Exploitation Requires a local low-privileged user account (PR:L confirmed by CVSS vector); no network-remote or unauthenticated attack path exists. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) contains what appears to be a metric misassignment: the vulnerability is explicitly an information disclosure - the description shows kernel text/data pointers leaking via the 68-byte getsockopt response - yet C:N and A:H are assigned. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local low-privileged attacker on a Linux host with an RDMA-capable NIC (or any NIC with rxe soft-RoCE loaded) opens an AF_RDS socket, sets SO_RDS_TRANSPORT=IB, binds to the local address, and issues a sendto() to any peer address on the same subnet - the call fails but causes the kernel to install an rds_connection object in RDS_CONN_CONNECTING state. The attacker immediately calls getsockopt(SOL_RDS, RDS_INFO_IB_CONNECTIONS) and receives a 68-byte struct in which bytes 40-55 contain live kernel text/data pointers from the preceding stack frame, enabling precise KASLR offset computation. …
Remediation Apply the vendor-released stable kernel patches for the appropriate branch: 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38863 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy