HOMEVULNERABILITIESCVE-2026-31425
NONE

CVE-2026-31425

Published: April 13, 2026· Updated: Apr 18, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:6.6th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

rds: ib: reject FRMR registration before IB connection is established

rds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data

and passes it to rds_ib_reg_frmr() for FRWR memory registration. On a

fresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with

i_cm_id = NULL because the connection worker has not yet called

rds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with

RDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses

the control message before any connection establishment, allowing

rds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash the

kernel.

The existing guard in rds_ib_reg_frmr() only checks for !ic (added in

commit 9e630bcb7701), which does not catch this case since ic is allocated

early and is always non-NULL once the connection object exists.

KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]

RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920

Call Trace:

rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167)

rds_ib_map_frmr (net/rds/ib_frmr.c:252)

rds_ib_reg_frmr (net/rds/ib_frmr.c:430)

rds_ib_get_mr (net/rds/ib_rdma.c:615)

__rds_rdma_map (net/rds/rdma.c:295)

rds_cmsg_rdma_map (net/rds/rdma.c:860)

rds_sendmsg (net/rds/send.c:1363)

____sys_sendmsg

do_syscall_64

Add a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all

non-NULL before proceeding with FRMR registration, mirroring the guard

already present in rds_ib_post_inv(). Return -ENODEV when the connection

is not ready, which the existing error handling in rds_cmsg_send() converts

to -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to

start the connection worker.

NVD Source

Technical Analysis

CVE-2026-31425 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2026-31425
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedApr 13, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31425 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.