CVE-2026-52939
Analyzed Analyzed - Analysis Complete

NULL dereference in Linux kernel RDS/IB atomic operation handling

Vulnerability report for CVE-2026-52939, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion rds_ib_xmit_atomic() always programs a masked atomic opcode (IB_WR_MASKED_ATOMIC_CMP_AND_SWP or IB_WR_MASKED_ATOMIC_FETCH_AND_ADD) for every RDS atomic cmsg. But the completion-side switch in rds_ib_send_unmap_op() only handles the non-masked opcodes, so a masked atomic completion falls through to default and returns rm == NULL while send->s_op is left set. rds_ib_send_cqe_handler() then dereferences the NULL rm via rm->m_final_op, oopsing in softirq context. An unprivileged AF_RDS sendmsg() of an atomic cmsg over an active RDS/IB connection triggers it; on hardware that natively accepts masked atomics (mlx4, mlx5) no extra setup is needed. RDS/IB: rds_ib_send_unmap_op: unexpected opcode 0xd in WR! Oops: general protection fault [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000190-0x0000000000000197] RIP: rds_ib_send_cqe_handler+0x25c/0xb10 (net/rds/ib_send.c:282) Call Trace: <IRQ> rds_ib_send_cqe_handler (net/rds/ib_send.c:282) poll_scq (net/rds/ib_cm.c:274) rds_ib_tasklet_fn_send (net/rds/ib_cm.c:294) tasklet_action_common (kernel/softirq.c:943) handle_softirqs (kernel/softirq.c:573) run_ksoftirqd (kernel/softirq.c:479) </IRQ> Kernel panic - not syncing: Fatal exception in interrupt Handle the masked atomic opcodes in the same case as the non-masked ones: they map to the same struct rds_message.atomic union member, so the existing container_of()/rds_ib_send_unmap_atomic() body is correct for them.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-08
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 14 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 5.16 (inc) to 6.1.176 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.143 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.210 (exc)
linux linux_kernel From 2.6.37 (inc) to 5.10.259 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.36 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.94 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.13 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's RDS (Reliable Datagram Sockets) over InfiniBand (IB) implementation. Specifically, it involves a NULL pointer dereference in the function rds_ib_send_cqe_handler() when handling masked atomic completions.

The issue arises because rds_ib_xmit_atomic() always programs a masked atomic opcode for every RDS atomic cmsg, but the completion-side function rds_ib_send_unmap_op() only handles non-masked opcodes. As a result, when a masked atomic completion occurs, it falls through to a default case returning a NULL pointer, which is then dereferenced in rds_ib_send_cqe_handler(), causing a kernel oops (crash) in softirq context.

An unprivileged user can trigger this by sending an atomic cmsg over an active RDS/IB connection, especially on hardware that supports masked atomics natively (such as mlx4 or mlx5), without needing extra setup.

Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability causes a NULL pointer dereference in the Linux kernel's RDS/IB subsystem, which can lead to a kernel oops or panic when an unprivileged AF_RDS sendmsg() of an atomic cmsg is performed over an active RDS/IB connection.

Detection can be done by monitoring kernel logs for specific error messages such as:

  • "RDS/IB: rds_ib_send_unmap_op: unexpected opcode 0xd in WR!"
  • "Oops: general protection fault [#1] SMP KASAN"
  • "KASAN: null-ptr-deref in range"
  • "Kernel panic - not syncing: Fatal exception in interrupt"

You can check kernel logs using commands like:

  • dmesg | grep -i 'rds_ib_send_unmap_op'
  • journalctl -k | grep -i 'rds_ib_send_unmap_op'
  • dmesg | grep -i 'null-ptr-deref'
  • journalctl -k | grep -i 'null-ptr-deref'

Additionally, monitoring for kernel oops or panic events related to RDS/IB can help detect exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability, the immediate step is to update the Linux kernel to a version where this issue is fixed.

The fix involves handling masked atomic opcodes correctly in the rds_ib_send_unmap_op() function to prevent NULL pointer dereference and kernel panic.

If updating the kernel is not immediately possible, consider disabling or restricting the use of RDS over InfiniBand (RDS/IB) connections, especially blocking unprivileged users from sending atomic cmsgs over active RDS/IB connections.

Monitoring and restricting access to AF_RDS sockets and controlling which users can send messages over RDS/IB may reduce the risk of triggering this vulnerability.

Impact Analysis

This vulnerability can cause a kernel crash (kernel oops) due to a NULL pointer dereference in the Linux kernel's networking stack when handling certain RDS atomic messages over InfiniBand.

The impact includes potential denial of service (DoS) on affected systems, as the kernel panic or oops can disrupt normal operations and require a reboot or recovery.

Since the vulnerability can be triggered by an unprivileged user sending a specially crafted message, it could be exploited to disrupt services or affect system stability on systems using RDS over InfiniBand.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52939. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart