HOMEVULNERABILITIESCVE-2026-52995
NONE

CVE-2026-52995

Published: June 24, 2026· Updated: Jun 24, 2026

EPSS:0.18%probability of exploitation in 30 daysPercentile:7.4th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

net/rds: zero per-item info buffer before handing it to visitors

rds_for_each_conn_info() and rds_walk_conn_path_info() both hand a

caller-allocated on-stack u64 buffer to a per-connection visitor and

then copy the full item_len bytes back to user space via

rds_info_copy() regardless of how much of the buffer the visitor

actually wrote.

rds_ib_conn_info_visitor() and rds6_ib_conn_info_visitor() only

write a subset of their output struct when the underlying

rds_connection is not in state RDS_CONN_UP (src/dst addr, tos, sl

and the two GIDs via explicit memsets). Several u32 fields

(max_send_wr, max_recv_wr, max_send_sge, rdma_mr_max, rdma_mr_size,

cache_allocs) and the 2-byte alignment hole between sl and

cache_allocs remain as whatever stack contents preceded the visitor

call and are then memcpy_to_user()'d out to user space.

struct rds_info_rdma_connection and struct rds6_info_rdma_connection

are the only rds_info_* structs in include/uapi/linux/rds.h that are

not marked __attribute__((packed)), so they have a real alignment

hole. The other info visitors (rds_conn_info_visitor,

rds6_conn_info_visitor, rds_tcp_tc_info, ...) write all fields of

their packed output struct today and are not known to be vulnerable,

but a future visitor that adds a conditional write-path would have

the same bug.

Reproduction on a kernel built without CONFIG_INIT_STACK_ALL_ZERO=y:

a local unprivileged user opens AF_RDS, sets SO_RDS_TRANSPORT=IB,

binds to a local address on an RDMA-capable netdev (rxe soft-RoCE on

any netdev is sufficient), sendto()'s any peer on the same subnet

(fails cleanly but installs an rds_connection in the global hash in

RDS_CONN_CONNECTING), then calls getsockopt(SOL_RDS,

RDS_INFO_IB_CONNECTIONS). The returned 68-byte item contains 26

bytes of stack garbage including kernel text/data pointers:

0..7 0a 63 00 01 0a 63 00 02 src=10.99.0.1 dst=10.99.0.2

8..39 00 ... gids (memset-zeroed)

40..47 e0 92 a3 81 ff ff ff ff kernel pointer (max_send_wr)

48..55 7f 37 b5 81 ff ff ff ff kernel pointer (rdma_mr_max)

56..59 01 00 08 00 rdma_mr_size (garbage)

60..61 00 00 tos, sl

62..63 00 00 alignment padding

64..67 18 00 00 00 cache_allocs (garbage)

Fix by zeroing the per-item buffer in both rds_for_each_conn_info()

and rds_walk_conn_path_info() before invoking the visitor. This

covers the IPv4/IPv6 IB visitors and hardens all current and future

visitors against the same class of bug.

No functional change for visitors that fully populate their output.

Changes in v2:

- retarget at the net tree (subject prefix "[PATCH net v2]",

net/rds: prefix in the title)

- pick up Reviewed-by tags from Sharath Srinivasan and

Allison Henderson

NVD Source

Technical Analysis

CVE-2026-52995 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2026-52995
SeverityNONE
CISA KEVNo
EPSS (30d)0.18%
PublishedJun 24, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-52995 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.