CVE-2026-31425
Analyzed Analyzed - Analysis Complete
Null Pointer Dereference in Linux RDS IB Causes Kernel Crash

Publication date: 2026-04-13

Last updated on: 2026-05-20

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: rds: ib: reject FRMR registration before IB connection is established rds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data and passes it to rds_ib_reg_frmr() for FRWR memory registration. On a fresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with i_cm_id = NULL because the connection worker has not yet called rds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with RDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses the control message before any connection establishment, allowing rds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash the kernel. The existing guard in rds_ib_reg_frmr() only checks for !ic (added in commit 9e630bcb7701), which does not catch this case since ic is allocated early and is always non-NULL once the connection object exists. KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920 Call Trace: rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167) rds_ib_map_frmr (net/rds/ib_frmr.c:252) rds_ib_reg_frmr (net/rds/ib_frmr.c:430) rds_ib_get_mr (net/rds/ib_rdma.c:615) __rds_rdma_map (net/rds/rdma.c:295) rds_cmsg_rdma_map (net/rds/rdma.c:860) rds_sendmsg (net/rds/send.c:1363) ____sys_sendmsg do_syscall_64 Add a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all non-NULL before proceeding with FRMR registration, mirroring the guard already present in rds_ib_post_inv(). Return -ENODEV when the connection is not ready, which the existing error handling in rds_cmsg_send() converts to -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to start the connection worker.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-05-20
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31425
EUVD
EUVD-2026-21950
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 4.6 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is resolved by adding checks in the Linux kernel code to verify that the connection and its components are fully established before proceeding with FRMR registration. Immediate mitigation involves updating the Linux kernel to a version that includes this fix.

Specifically, the fix adds a check in rds_ib_get_mr() to ensure ic, i_cm_id, and qp are all non-NULL before proceeding, preventing kernel crashes caused by premature FRMR registration.

Until the kernel is updated, avoid using RDS over InfiniBand connections that might trigger this condition, or apply any vendor-provided patches addressing this issue.

Executive Summary

This vulnerability exists in the Linux kernel's RDS (Reliable Datagram Sockets) over InfiniBand (ib) implementation. It occurs because the system attempts to register FRMR (Fast Registration Memory Region) before the InfiniBand connection is fully established. Specifically, the function rds_ib_get_mr() extracts a connection object that is allocated early but lacks a valid rdma_cm_id (connection identifier). When a sendmsg() call with RDS_CMSG_RDMA_MAP is made on such a fresh connection, the kernel tries to access a null pointer related to the connection's queue pair (qp), causing a kernel crash.

The root cause is that the existing checks only verify if the connection object exists, but do not confirm that the connection identifier and queue pair are valid before proceeding with FRMR registration. This leads to a null pointer dereference and kernel crash.

The fix involves adding checks to ensure that the connection object, connection identifier, and queue pair are all non-NULL before attempting FRMR registration. If the connection is not ready, the function returns an error that triggers a retry mechanism and connection establishment.

Impact Analysis

This vulnerability can cause the Linux kernel to crash due to a null pointer dereference when handling certain RDMA (Remote Direct Memory Access) operations over InfiniBand connections that are not fully established.

A kernel crash can lead to system instability, downtime, and potential loss of data or service availability. Systems relying on RDS over InfiniBand for high-performance networking could be disrupted, affecting applications and services dependent on these connections.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31425. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart