CVE-2026-52939
Received Received - Intake
NULL dereference in Linux kernel RDS/IB atomic operation handling

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion rds_ib_xmit_atomic() always programs a masked atomic opcode (IB_WR_MASKED_ATOMIC_CMP_AND_SWP or IB_WR_MASKED_ATOMIC_FETCH_AND_ADD) for every RDS atomic cmsg. But the completion-side switch in rds_ib_send_unmap_op() only handles the non-masked opcodes, so a masked atomic completion falls through to default and returns rm == NULL while send->s_op is left set. rds_ib_send_cqe_handler() then dereferences the NULL rm via rm->m_final_op, oopsing in softirq context. An unprivileged AF_RDS sendmsg() of an atomic cmsg over an active RDS/IB connection triggers it; on hardware that natively accepts masked atomics (mlx4, mlx5) no extra setup is needed. RDS/IB: rds_ib_send_unmap_op: unexpected opcode 0xd in WR! Oops: general protection fault [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000190-0x0000000000000197] RIP: rds_ib_send_cqe_handler+0x25c/0xb10 (net/rds/ib_send.c:282) Call Trace: <IRQ> rds_ib_send_cqe_handler (net/rds/ib_send.c:282) poll_scq (net/rds/ib_cm.c:274) rds_ib_tasklet_fn_send (net/rds/ib_cm.c:294) tasklet_action_common (kernel/softirq.c:943) handle_softirqs (kernel/softirq.c:573) run_ksoftirqd (kernel/softirq.c:479) </IRQ> Kernel panic - not syncing: Fatal exception in interrupt Handle the masked atomic opcodes in the same case as the non-masked ones: they map to the same struct rds_message.atomic union member, so the existing container_of()/rds_ib_send_unmap_atomic() body is correct for them.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52939
EUVD
EUVD-2026-38709
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's RDS (Reliable Datagram Sockets) over InfiniBand (IB) implementation. Specifically, it involves a NULL pointer dereference in the function rds_ib_send_cqe_handler() when handling masked atomic completions.

The issue arises because rds_ib_xmit_atomic() always programs a masked atomic opcode for every RDS atomic cmsg, but the completion-side function rds_ib_send_unmap_op() only handles non-masked opcodes. As a result, when a masked atomic completion occurs, it falls through to a default case returning a NULL pointer, which is then dereferenced in rds_ib_send_cqe_handler(), causing a kernel oops (crash) in softirq context.

An unprivileged user can trigger this by sending an atomic cmsg over an active RDS/IB connection, especially on hardware that supports masked atomics natively (such as mlx4 or mlx5), without needing extra setup.

Impact Analysis

This vulnerability can cause a kernel crash (kernel oops) due to a NULL pointer dereference in the Linux kernel's networking stack when handling certain RDS atomic messages over InfiniBand.

The impact includes potential denial of service (DoS) on affected systems, as the kernel panic or oops can disrupt normal operations and require a reboot or recovery.

Since the vulnerability can be triggered by an unprivileged user sending a specially crafted message, it could be exploited to disrupt services or affect system stability on systems using RDS over InfiniBand.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52939. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart