Skip to main content

Linux Kernel EUVDEUVD-2026-39338

| CVE-2026-53133 HIGH
Incorrect Conversion between Numeric Types (CWE-681)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-5rwx-cqg3-893x
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local RDMA-device access gives PR:L; the IOMMU-enabled, >=4G-block prerequisites make it AC:H; DMA-address corruption supports C/I/A:H within an unchanged scope.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:14 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/umem: Fix truncation for block sizes >= 4G

When the iommu is used the linearization of the mapping can give a single block that is very large split across multiple SG entries.

When __rdma_block_iter_next() reassembles the split SG entries it is overflowing the 32 bit stack values and computed the wrong DMA addresses for blocks after the truncation.

Use the right types to hold DMA addresses.

AnalysisAI

Memory corruption in the Linux kernel's RDMA/umem subsystem occurs because __rdma_block_iter_next() uses 32-bit types to reassemble scatter-gather entries, truncating DMA addresses for block sizes of 4GB or larger when an IOMMU linearizes the mapping. Affected versions span the long-lived 5.2 through 7.1 development line; a low-privileged local actor with RDMA device access can drive the kernel to compute wrong DMA addresses, yielding high confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local low-privileged access
Delivery
Gain access to RDMA verbs/device
Exploit
Register memory region >= 4GB
Execution
Trigger IOMMU linearization and 32-bit truncation
Persist
DMA to wrong physical addresses
Impact
Kernel memory corruption or disclosure

Vulnerability AssessmentAI

Exploitation Requires local access (CVSS AV:L) with at least low privileges (PR:L) sufficient to access RDMA verbs/devices, plus three concrete environmental prerequisites named in the description: (1) the kernel's RDMA/InfiniBand stack is in use, (2) an IOMMU is active and linearizes the mapping into a single large block split across multiple SG entries, and (3) a memory registration with a block size of 4GB (>= 2^32 bytes) or larger so the truncation boundary is crossed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are internally consistent and point to a genuine but specialized issue rather than a mass-exploitation priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who already has local, low-privileged access to a host with RDMA hardware and an enabled IOMMU registers a user memory region of 4GB or larger, causing the kernel to linearize it into a large block split across SG entries. The 32-bit truncation in __rdma_block_iter_next() then programs the device with incorrect DMA addresses for blocks past the 2^32 boundary, steering DMA reads/writes to unintended physical memory and producing corruption or disclosure. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel for your series - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 or later - using your distribution's backport once available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory Linux systems running kernel 5.2 through 7.1 with RDMA subsystem enabled; identify users and services with RDMA device access capabilities. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39338 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy