Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Local access (AV:L) by a low-privileged user (PR:L); AC:H because the attacker must arrange a block device aliasing the ucap dev_t; scope change and high impact reflect crossing the RDMA capability boundary.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Validate the passed in fops for ib_get_ucaps()
Sashiko pointed out it is not safe to rely only on the devt because char/block alias so if the user finds a block device with the same dev_t it can masquerade as a ucap cdev fd.
Test the f_ops to only accept authentic cdevs.
AnalysisAI
Privilege/capability boundary bypass in the Linux kernel RDMA/core subsystem (ib_get_ucaps) lets a local low-privileged user masquerade as an authentic user-capability (ucap) character-device file descriptor. Because char and block devices share the dev_t namespace, the kernel previously validated only the device number, so a block device with a matching dev_t could be passed to ib_get_ucaps() to impersonate a legitimate ucap cdev and obtain RDMA capabilities the user should not hold. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local access to a host where the RDMA/core ucaps feature is in use and reachable by the attacker, plus the ability to present a block device fd whose dev_t aliases a genuine ucap character device so it is mistaken for an authentic ucap cdev by ib_get_ucaps(). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed but lean toward a real-but-not-urgent local issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local, low-privileged user on an RDMA-enabled host creates or locates a block device whose dev_t matches a legitimate ucap character device, then passes that fd into the ib_get_ucaps() path. The kernel, validating only by dev_t, treats the block device as an authentic ucap cdev and grants RDMA capabilities the attacker should not have, enabling capability escalation within the RDMA subsystem. … |
| Remediation | Patch available per vendor advisory: update to a kernel build that includes the fix from the upstream stable commits 4a1b1ac2744694a2ecd66a84bdb1445f4ef24bee, 96b6e98ff12d50ed5817230c6f1188e1150d225d, or aa181287ebdcc53ee0ba5c2f8243e2d541ebc19b (https://git.kernel.org/stable/c/4a1b1ac2744694a2ecd66a84bdb1445f4ef24bee), corresponding to fixed stable releases (EUVD references the 6.18.36 series and 7.x branches - confirm the exact patched version against your distribution's changelog rather than relying on the malformed EUVD tokens). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running affected Linux kernels with RDMA enabled (check for ib_* modules); prioritize production infrastructure and multi-tenant systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39279
GHSA-4rj2-pr7f-cmpg