Impact
A NULL pointer dereference occurs in the Linux kernel RDS/IB subsystem when handling a masked atomic completion. The flaw causes rds_ib_send_cqe_handler() to dereference a null pointer in softirq context, resulting in a kernel oops and a fatal exception that crashes the system. The vulnerability is a local denial‑of‑service condition that can be triggered without privileged access.
Affected Systems
All Linux kernels that have the RDS/IB driver enabled and have not incorporated the fix are affected. The patch was introduced in commit 0f22412a2f4fbbe0 in the main line, meaning any kernel version that includes the vulnerable code path prior to that commit is vulnerable. Users hardware that supports masked atomics (e.g., mlx4, mlx5) are fully impacted when an RDS/IB connection is active.
Risk and Exploitability
The impact with a CVSS score of 5.5, but the EPSS score is less than a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is local: an unprivileged user can trigger the crash by sending an atomic control message over an active RDS/IB connection; no additional setup is needed on hardware that natively accepts masked atomics. Because the exploit can be performed from user space and does not require elevated privileges, any system with the vulnerable kernel exposed to user processes is at risk.
OpenCVE Enrichment
Debian DLA