Impact
The Linux kernel’s net/rds module allows creation of remote datagram sockets in any network namespace, but the implementation fails to function correctly outside the initial namespace. This weakness, classified as CWE‑280 (Improper Restriction of Capability), can cause a denial of service by terminating RDS or InfiniBand operations when used in secondary namespaces. The flaw does not grant any additional privileges or data exfiltration, but it disrupts services that rely on RDS/IB communication.
Affected Systems
Any Linux kernel installation that includes the built‑in RDS/IB networking code is potentially affected. The issue applies to all mainstream kernels that ship with the stock RDS/IB modules enabled, regardless of distribution or edition.
Risk and Exploitability
The CVSS score of 7.8 indicates a high severity impact, while the EPSS score of < 1% indicates a very low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, implying no publicly known exploits. Based on the description, the likely attack vector requires the ability to create or manipulate network namespaces, typically demanding privileged capabilities such as CAP_SYS_ADMIN. Local privileged users could trigger the denial of service within the affected namespace without escalating privileges beyond the scope of the namespace.
OpenCVE Enrichment
Debian DLA