CVE-2026-46127 - Vulnerability Details

- RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()

Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()

Sashiko points out that pd->uctx isn't initialized until late in the
function so all these error flow references are NULL and will crash. Use
the uctx that isn't NULL.

Published: 2026-05-28

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The kernel RDMA/ocrdma subsystem contains a null pointer dereference on error paths within the ocrdma_copy_pd_uresp() routine. When the function encounters an error before pd->uctx has been initialized, the code dereferences a NULL pointer, causing an immediate kernel crash. This defect yields a denial of service as the kernel becomes unstable and must be restarted, but it does not directly grant any confidentiality or integrity breach. The weakness is a null pointer dereference (CWE‑824).

Affected Systems

Any Linux kernel that includes the ocrdma driver before the commit that introduced a non‑NULL reference to pd->uctx is affected. The vulnerability is present in all kernels that compile with the ocrdma module until the patch is applied; no further version delimiters are provided in the vendor data.

Risk and Exploitability

The EPSS of <1% and the absence from the CISA KEV catalog suggest that exploitation is rare at this time. Based on the function’s role in processing RDMA PD responses, an attacker would likely need to trigger RDMA traffic that reaches the ocrdma driver and causes the error path. This typically requires the ability to send or influence RDMA frames to the device, which in many environments is limited to privileged or local users, but the exact prerequisites are not detailed in the published description. Once triggered, the crash is deterministic, providing a straightforward denial of service route.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`fe2caefcdf5869f308c102e3d64d40683bfad711`	affected	< e01a957561f663d3b68d2fd233a4502e3367efcd
`fe2caefcdf5869f308c102e3d64d40683bfad711`	affected	< 75fc130664ae324e7b2f9ad3630e0f175e9ca6c8
`fe2caefcdf5869f308c102e3d64d40683bfad711`	affected	< 8832626a483439e207734e027afff322ccdf726e
`fe2caefcdf5869f308c102e3d64d40683bfad711`	affected	< ec44c00a4fe1327efa35083f98b39c01cb535a51
`fe2caefcdf5869f308c102e3d64d40683bfad711`	affected	< 34fbf48cf3b410d2a6e8c586fa952a36331ca5ba

Linux

affected

Version	Status	Constraints
`3.5`	affected	—
`0`	unaffected	< 3.5
`6.6.140`	unaffected	≤ 6.6.*
`6.12.88`	unaffected	≤ 6.12.*
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1-rc3`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[fe2caefcdf5869f308c102e3d64d40683bfad711,e01a957561f663d3b68d2fd233a4502e3367efcd)`	affected	code_commit	—
`[fe2caefcdf5869f308c102e3d64d40683bfad711,75fc130664ae324e7b2f9ad3630e0f175e9ca6c8)`	affected	code_commit	—
`[fe2caefcdf5869f308c102e3d64d40683bfad711,8832626a483439e207734e027afff322ccdf726e)`	affected	code_commit	—
`[fe2caefcdf5869f308c102e3d64d40683bfad711,ec44c00a4fe1327efa35083f98b39c01cb535a51)`	affected	code_commit	—
`[fe2caefcdf5869f308c102e3d64d40683bfad711,34fbf48cf3b410d2a6e8c586fa952a36331ca5ba)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.5`	affected	generic	—
`[0,3.5)`	unaffected	semver	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.88,6.13.0)`	unaffected	semver	—
`[6.18.30,6.19.0)`	unaffected	semver	—
`[7.0.7,7.1.0)`	unaffected	semver	—
`[7.1-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the kernel to a version that contains the ocrdma driver fix. The patch commit corrects the null dereference; installing the updated kernel will remove the defect.
If your environment uses a custom kernel build, cherry‑pick or merge the commit that resolves the null dereference into your local kernel tree and rebuild the kernel. This recreates the same safe behavior without waiting for an official upstream release.
As a temporary mitigator, prevent the ocrdma module from loading by unloading it at runtime or by blacklisting it via a /etc/modprobe.d/blacklist entry, thereby eliminating the path that could crash the kernel until a patch is deployed.

Generated by OpenCVE AI on May 29, 2026 at 04:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/34fbf48cf3b410d2a6e8c586fa952a36331ca5ba
https://git.kernel.org/stable/c/75fc130664ae324e7b2f9ad3630e0f175e9ca6c8
https://git.kernel.org/stable/c/8832626a483439e207734e027afff322ccdf726e
https://git.kernel.org/stable/c/e01a957561f663d3b68d2fd233a4502e3367efcd
https://git.kernel.org/stable/c/ec44c00a4fe1327efa35083f98b39c01cb535a51
https://lore.kernel.org/linux-cve-announce/2026052816-CVE-2026-46127-7c28@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46127
https://www.cve.org/CVERecord?id=CVE-2026-46127

History

Fri, 29 May 2026 03:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-476

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-824
References		https://lore.kernel.org/linux-cve-announce/2026052816-CVE-2026-46127-7c28@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46127 https://www.cve.org/CVERecord?id=CVE-2026-46127
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Thu, 28 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.
Title		RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/34fbf48cf3b410d2a6e8c586fa952a36331ca5ba https://git.kernel.org/stable/c/75fc130664ae324e7b2f9ad3630e0f175e9ca6c8 https://git.kernel.org/stable/c/8832626a483439e207734e027afff322ccdf726e https://git.kernel.org/stable/c/e01a957561f663d3b68d2fd233a4502e3367efcd https://git.kernel.org/stable/c/ec44c00a4fe1327efa35083f98b39c01cb535a51

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:35:42.368Z

Updated: 2026-05-28T09:35:42.368Z

Reserved: 2026-05-13T15:03:33.099Z

Link: CVE-2026-46127

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:28.250

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46127

Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46127 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T04:45:36Z

Weaknesses

CWE-824

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object