Description
In the Linux kernel, the following vulnerability has been resolved:

RDMA: During rereg_mr ensure that REREG_ACCESS is compatible

If IB_MR_REREG_ACCESS changes from RO to RW then the umem has to be
re-evaluated to ensure it is properly pinned as RW. Since the umem is
hidden inside each driver's mr struct add a ib_umem_check_rereg() function
that each driver has to call before processing IB_MR_REREG_ACCESS.

mlx4 has to retain its duplicate ib_access_writable check because it
implements IB_MR_REREG_ACCESS | IB_MR_REREG_TRANS by changing both items
in place sequentially while the MR is live, so it will continue to not
support this combination.
Published: 2026-06-19
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The RDMA subsystem in the Linux kernel fails to verify that the requested access rights during a memory region re‑registration match the existing permissions. When the IB_MR_REREG_ACCESS flag is changed from read‑only to read‑write, the kernel does not re‑evaluate the underlying user memory mapping, which may result in a client being granted write access to a region that should remain read‑only. This omission creates an improper access control flaw (CWE-1220) that could compromise the confidentiality and integrity of data stored in the region.

Affected Systems

All Linux kernel releases that contain the RDMA stack prior to the inclusion of patch commit 09dc188 are affected. The issue primarily involves RDMA drivers such as mlx4, but any driver that registers memory regions without performing the added ib_umem_check_rereg() check could be susceptible. Systems running an unpatched kernel with active RDMA drivers should be considered vulnerable until the patch is applied.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score of less than 1% suggests a very low likelihood of exploitation based on current data, and the the CISA The vector is a local or privileged RDMA client that can issue a re‑registration request changing the access flag from RO to RW. Because the flaw involves a missing kernel check rather than a userland exploit, no public exploits have been reported, and exploitation would require access to the RDMA device and the ability to manipulate registration requests.

Generated by OpenCVE AI on June 28, 2026 at 13:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Linux kernel patch that includes the rereg_mr REREG_ACCESS compatibility fix (commit 09dc188).
  • Ensure that RDMA drivers (e.g., mlx4) call ib_umem_check_rereg() before processing IB_MR_REREG_ACCESS or update the driver to use the new helper function.
  • Restart RDMA‑dependent services or reload kernel modules so that the patched kernel and updated drivers are active.

Generated by OpenCVE AI on June 28, 2026 at 13:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6355-1 linux security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Tue, 23 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Tue, 23 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1220
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Fri, 19 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: RDMA: During rereg_mr ensure that REREG_ACCESS is compatible If IB_MR_REREG_ACCESS changes from RO to RW then the umem has to be re-evaluated to ensure it is properly pinned as RW. Since the umem is hidden inside each driver's mr struct add a ib_umem_check_rereg() function that each driver has to call before processing IB_MR_REREG_ACCESS. mlx4 has to retain its duplicate ib_access_writable check because it implements IB_MR_REREG_ACCESS | IB_MR_REREG_TRANS by changing both items in place sequentially while the MR is live, so it will continue to not support this combination.
Title RDMA: During rereg_mr ensure that REREG_ACCESS is compatible
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:36:24.208Z

Reserved: 2026-06-09T07:44:35.366Z

Link: CVE-2026-52908

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-19T00:00:00Z

Links: CVE-2026-52908 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:00:21Z

Weaknesses
  • CWE-1220

    Insufficient Granularity of Access Control