Description
In the Linux kernel, the following vulnerability has been resolved:

net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion

rds_ib_xmit_atomic() always programs a masked atomic opcode
(IB_WR_MASKED_ATOMIC_CMP_AND_SWP or IB_WR_MASKED_ATOMIC_FETCH_AND_ADD)
for every RDS atomic cmsg. But the completion-side switch in
rds_ib_send_unmap_op() only handles the non-masked opcodes, so a masked
atomic completion falls through to default and returns rm == NULL while
send->s_op is left set. rds_ib_send_cqe_handler() then dereferences the
NULL rm via rm->m_final_op, oopsing in softirq context. An unprivileged
AF_RDS sendmsg() of an atomic cmsg over an active RDS/IB connection
triggers it; on hardware that natively accepts masked atomics (mlx4,
mlx5) no extra setup is needed.

RDS/IB: rds_ib_send_unmap_op: unexpected opcode 0xd in WR!
Oops: general protection fault [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000190-0x0000000000000197]
RIP: rds_ib_send_cqe_handler+0x25c/0xb10 (net/rds/ib_send.c:282)
Call Trace:
<IRQ>
rds_ib_send_cqe_handler (net/rds/ib_send.c:282)
poll_scq (net/rds/ib_cm.c:274)
rds_ib_tasklet_fn_send (net/rds/ib_cm.c:294)
tasklet_action_common (kernel/softirq.c:943)
handle_softirqs (kernel/softirq.c:573)
run_ksoftirqd (kernel/softirq.c:479)
</IRQ>
Kernel panic - not syncing: Fatal exception in interrupt

Handle the masked atomic opcodes in the same case as the non-masked
ones: they map to the same struct rds_message.atomic union member, so
the existing container_of()/rds_ib_send_unmap_atomic() body is correct
for them.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A NULL pointer dereference occurs in the Linux kernel RDS/IB subsystem when handling a masked atomic completion. The flaw causes rds_ib_send_cqe_handler() to dereference a null pointer in softirq context, resulting in a kernel oops and a fatal exception that crashes the system. The vulnerability is a local denial‑of‑service condition that can be triggered without privileged access.

Affected Systems

All Linux kernels that have the RDS/IB driver enabled and have not incorporated the fix are affected. The patch was introduced in commit 0f22412a2f4fbbe0 in the main line, meaning any kernel version that includes the vulnerable code path prior to that commit is vulnerable. Users hardware that supports masked atomics (e.g., mlx4, mlx5) are fully impacted when an RDS/IB connection is active.

Risk and Exploitability

The impact with a CVSS score of 5.5, but the EPSS score is less than a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is local: an unprivileged user can trigger the crash by sending an atomic control message over an active RDS/IB connection; no additional setup is needed on hardware that natively accepts masked atomics. Because the exploit can be performed from user space and does not require elevated privileges, any system with the vulnerable kernel exposed to user processes is at risk.

Generated by OpenCVE AI on June 25, 2026 at 02:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install a kernel package that contains commit 0f22412a2f4fbbe0 or later and reboot to use the updated kernel.
  • If an immediate kernel upgrade is not possible, unload the RDS module with "modprobe -r rds" or block loading of the rds kernel module with a custom /etc/modprobe.d entry.
  • After applying the fix or ensuring that no AF_RDS sockets are created, monitor the system for any signs of kernel panics.

Generated by OpenCVE AI on June 25, 2026 at 02:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion rds_ib_xmit_atomic() always programs a masked atomic opcode (IB_WR_MASKED_ATOMIC_CMP_AND_SWP or IB_WR_MASKED_ATOMIC_FETCH_AND_ADD) for every RDS atomic cmsg. But the completion-side switch in rds_ib_send_unmap_op() only handles the non-masked opcodes, so a masked atomic completion falls through to default and returns rm == NULL while send->s_op is left set. rds_ib_send_cqe_handler() then dereferences the NULL rm via rm->m_final_op, oopsing in softirq context. An unprivileged AF_RDS sendmsg() of an atomic cmsg over an active RDS/IB connection triggers it; on hardware that natively accepts masked atomics (mlx4, mlx5) no extra setup is needed. RDS/IB: rds_ib_send_unmap_op: unexpected opcode 0xd in WR! Oops: general protection fault [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000190-0x0000000000000197] RIP: rds_ib_send_cqe_handler+0x25c/0xb10 (net/rds/ib_send.c:282) Call Trace: <IRQ> rds_ib_send_cqe_handler (net/rds/ib_send.c:282) poll_scq (net/rds/ib_cm.c:274) rds_ib_tasklet_fn_send (net/rds/ib_cm.c:294) tasklet_action_common (kernel/softirq.c:943) handle_softirqs (kernel/softirq.c:573) run_ksoftirqd (kernel/softirq.c:479) </IRQ> Kernel panic - not syncing: Fatal exception in interrupt Handle the masked atomic opcodes in the same case as the non-masked ones: they map to the same struct rds_message.atomic union member, so the existing container_of()/rds_ib_send_unmap_atomic() body is correct for them.
Title net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T07:14:28.622Z

Reserved: 2026-06-09T07:44:35.370Z

Link: CVE-2026-52939

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52939 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T02:45:16Z

Weaknesses