CVE-2026-53187
Received Received - Intake
BaseFortify

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc The cpu_id attribute supplied by user space through UVERBS_ATTR_ALLOC_DMAH_CPU_ID is passed directly to cpumask_test_cpu() without first verifying that the value is within the valid CPU range. Passing such untrusted data to cpumask_test_cpu() may lead to an out-of-bounds read of the underlying cpumask bitmap: the helper expands to a test_bit() that indexes the bitmap by cpu_id / BITS_PER_LONG with no bound check. In addition, on kernels built with CONFIG_DEBUG_PER_CPU_MAPS it trips the WARN_ON_ONCE() in cpumask_check(); combined with panic_on_warn this turns a bad user input into a machine reboot. Reject any cpu_id that is not smaller than nr_cpu_ids with -EINVAL before it is used. Reported by Smatch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53187
EUVD
EUVD-2026-39278
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's RDMA core, specifically in the handling of the cpu_id attribute supplied by user space through UVERBS_ATTR_ALLOC_DMAH_CPU_ID.

The issue is that the cpu_id value is passed directly to the function cpumask_test_cpu() without verifying if it is within the valid CPU range (less than nr_cpu_ids).

Because of this lack of validation, an out-of-bounds read can occur on the cpumask bitmap, which is indexed by cpu_id without proper bounds checking.

On kernels built with CONFIG_DEBUG_PER_CPU_MAPS, this can trigger a WARN_ON_ONCE() warning, and if panic_on_warn is enabled, it can cause the machine to reboot.

The fix involves rejecting any cpu_id values that are not smaller than nr_cpu_ids with an error code (-EINVAL) before they are used.

Impact Analysis

This vulnerability can lead to an out-of-bounds read in kernel memory, which may cause undefined behavior or system instability.

On systems with CONFIG_DEBUG_PER_CPU_MAPS enabled and panic_on_warn set, supplying an invalid cpu_id can cause the kernel to trigger a warning that leads to a machine reboot.

Therefore, an attacker or untrusted user space process could potentially cause denial of service by forcing the system to reboot unexpectedly.

Mitigation Strategies

To mitigate this vulnerability, ensure that your Linux kernel is updated to a version where the issue is resolved.

The fix involves rejecting any cpu_id that is not smaller than nr_cpu_ids with -EINVAL before it is used, preventing out-of-bounds reads and potential system reboots.

If you are running kernels built with CONFIG_DEBUG_PER_CPU_MAPS and have panic_on_warn enabled, consider disabling panic_on_warn temporarily to avoid unexpected reboots until the kernel is updated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53187. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart