CVE-2026-52995
Received Received - Intake
Information Leak in Linux Kernel RDS Module

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/rds: zero per-item info buffer before handing it to visitors rds_for_each_conn_info() and rds_walk_conn_path_info() both hand a caller-allocated on-stack u64 buffer to a per-connection visitor and then copy the full item_len bytes back to user space via rds_info_copy() regardless of how much of the buffer the visitor actually wrote. rds_ib_conn_info_visitor() and rds6_ib_conn_info_visitor() only write a subset of their output struct when the underlying rds_connection is not in state RDS_CONN_UP (src/dst addr, tos, sl and the two GIDs via explicit memsets). Several u32 fields (max_send_wr, max_recv_wr, max_send_sge, rdma_mr_max, rdma_mr_size, cache_allocs) and the 2-byte alignment hole between sl and cache_allocs remain as whatever stack contents preceded the visitor call and are then memcpy_to_user()'d out to user space. struct rds_info_rdma_connection and struct rds6_info_rdma_connection are the only rds_info_* structs in include/uapi/linux/rds.h that are not marked __attribute__((packed)), so they have a real alignment hole. The other info visitors (rds_conn_info_visitor, rds6_conn_info_visitor, rds_tcp_tc_info, ...) write all fields of their packed output struct today and are not known to be vulnerable, but a future visitor that adds a conditional write-path would have the same bug. Reproduction on a kernel built without CONFIG_INIT_STACK_ALL_ZERO=y: a local unprivileged user opens AF_RDS, sets SO_RDS_TRANSPORT=IB, binds to a local address on an RDMA-capable netdev (rxe soft-RoCE on any netdev is sufficient), sendto()'s any peer on the same subnet (fails cleanly but installs an rds_connection in the global hash in RDS_CONN_CONNECTING), then calls getsockopt(SOL_RDS, RDS_INFO_IB_CONNECTIONS). The returned 68-byte item contains 26 bytes of stack garbage including kernel text/data pointers: 0..7 0a 63 00 01 0a 63 00 02 src=10.99.0.1 dst=10.99.0.2 8..39 00 ... gids (memset-zeroed) 40..47 e0 92 a3 81 ff ff ff ff kernel pointer (max_send_wr) 48..55 7f 37 b5 81 ff ff ff ff kernel pointer (rdma_mr_max) 56..59 01 00 08 00 rdma_mr_size (garbage) 60..61 00 00 tos, sl 62..63 00 00 alignment padding 64..67 18 00 00 00 cache_allocs (garbage) Fix by zeroing the per-item buffer in both rds_for_each_conn_info() and rds_walk_conn_path_info() before invoking the visitor. This covers the IPv4/IPv6 IB visitors and hardens all current and future visitors against the same class of bug. No functional change for visitors that fully populate their output. Changes in v2: - retarget at the net tree (subject prefix "[PATCH net v2]", net/rds: prefix in the title) - pick up Reviewed-by tags from Sharath Srinivasan and Allison Henderson
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52995
EUVD
EUVD-2026-38863
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's RDS (Reliable Datagram Sockets) subsystem, specifically in how certain functions handle a buffer before passing it to user space. The functions rds_for_each_conn_info() and rds_walk_conn_path_info() provide a caller-allocated on-stack buffer to a visitor function and then copy the entire buffer back to user space without ensuring all parts of the buffer are properly initialized.

When the RDS connection is not fully established (not in state RDS_CONN_UP), some fields in the buffer remain uninitialized and contain leftover stack data, including potentially sensitive kernel memory pointers and other garbage data. This happens because the output structures have alignment holes and only partially write their data, leaving some parts of the buffer with stale stack contents.

A local unprivileged user can trigger this by opening an AF_RDS socket, setting it to use RDMA transport, binding to a local address, sending data to a peer, and then calling a getsockopt() to retrieve connection info. The returned data can leak kernel stack contents, including kernel pointers.

The fix was to zero out the entire per-item buffer before passing it to the visitor functions, ensuring no uninitialized stack data is leaked to user space.

Impact Analysis

This vulnerability can lead to information disclosure where a local unprivileged user can obtain sensitive kernel memory contents, including kernel pointers and other stack data that should not be exposed.

Leaking kernel pointers can aid attackers in bypassing kernel address space layout randomization (KASLR) protections, potentially facilitating further attacks such as privilege escalation or arbitrary code execution.

Although the vulnerability requires local access and specific conditions (using AF_RDS sockets with RDMA transport), it still poses a risk of exposing sensitive kernel information to unauthorized users.

Detection Guidance

This vulnerability can be detected by checking for the presence of uninitialized stack data being leaked through the RDS (Reliable Datagram Sockets) interface when querying RDMA connection information.

A local unprivileged user can reproduce the issue by opening an AF_RDS socket, setting SO_RDS_TRANSPORT to IB (InfiniBand), binding to a local RDMA-capable network device, sending data to a peer on the same subnet, and then calling getsockopt() with SOL_RDS and RDS_INFO_IB_CONNECTIONS to retrieve connection info that may contain stack garbage.

Commands to detect this behavior might include:

  • Open an RDS socket: `socket(AF_RDS, SOCK_SEQPACKET, 0)`
  • Set the transport to InfiniBand: `setsockopt(sock, SOL_RDS, SO_RDS_TRANSPORT, &RDMA_TRANSPORT_IB, sizeof(int))`
  • Bind to a local RDMA-capable address.
  • Send data to a peer on the same subnet using `sendto()`.
  • Retrieve connection info with: `getsockopt(sock, SOL_RDS, RDS_INFO_IB_CONNECTIONS, &buffer, &buffer_len)` and inspect the returned data for uninitialized stack contents or kernel pointers.
Mitigation Strategies

The immediate mitigation is to update the Linux kernel to a version where this vulnerability has been fixed.

The fix involves zeroing the per-item info buffer before it is handed to visitors in the RDS code, preventing uninitialized stack data from being leaked.

Until the kernel is updated, restrict unprivileged users from opening AF_RDS sockets or limit access to RDMA-capable network devices to trusted users only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52995. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart