Skip to main content

Linux Kernel EUVDEUVD-2026-39279

| CVE-2026-53188 HIGH
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-4rj2-pr7f-cmpg
8.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local access (AV:L) by a low-privileged user (PR:L); AC:H because the attacker must arrange a block device aliasing the ucap dev_t; scope change and high impact reflect crossing the RDMA capability boundary.

3.1 AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:27 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/core: Validate the passed in fops for ib_get_ucaps()

Sashiko pointed out it is not safe to rely only on the devt because char/block alias so if the user finds a block device with the same dev_t it can masquerade as a ucap cdev fd.

Test the f_ops to only accept authentic cdevs.

AnalysisAI

Privilege/capability boundary bypass in the Linux kernel RDMA/core subsystem (ib_get_ucaps) lets a local low-privileged user masquerade as an authentic user-capability (ucap) character-device file descriptor. Because char and block devices share the dev_t namespace, the kernel previously validated only the device number, so a block device with a matching dev_t could be passed to ib_get_ucaps() to impersonate a legitimate ucap cdev and obtain RDMA capabilities the user should not hold. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local low-privileged shell on RDMA host
Delivery
Create/locate block device aliasing ucap dev_t
Exploit
Pass forged fd to ib_get_ucaps()
Execution
Kernel accepts it as authentic ucap cdev
Impact
Obtain unauthorized RDMA capabilities

Vulnerability AssessmentAI

Exploitation Requires local access to a host where the RDMA/core ucaps feature is in use and reachable by the attacker, plus the ability to present a block device fd whose dev_t aliases a genuine ucap character device so it is mistaken for an authentic ucap cdev by ib_get_ucaps(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but lean toward a real-but-not-urgent local issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local, low-privileged user on an RDMA-enabled host creates or locates a block device whose dev_t matches a legitimate ucap character device, then passes that fd into the ib_get_ucaps() path. The kernel, validating only by dev_t, treats the block device as an authentic ucap cdev and grants RDMA capabilities the attacker should not have, enabling capability escalation within the RDMA subsystem. …
Remediation Patch available per vendor advisory: update to a kernel build that includes the fix from the upstream stable commits 4a1b1ac2744694a2ecd66a84bdb1445f4ef24bee, 96b6e98ff12d50ed5817230c6f1188e1150d225d, or aa181287ebdcc53ee0ba5c2f8243e2d541ebc19b (https://git.kernel.org/stable/c/4a1b1ac2744694a2ecd66a84bdb1445f4ef24bee), corresponding to fixed stable releases (EUVD references the 6.18.36 series and 7.x branches - confirm the exact patched version against your distribution's changelog rather than relying on the malformed EUVD tokens). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running affected Linux kernels with RDMA enabled (check for ib_* modules); prioritize production infrastructure and multi-tenant systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39279 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy