Description
In the Linux kernel, the following vulnerability has been resolved:

RDMA/umem: Fix truncation for block sizes >= 4G

When the iommu is used the linearization of the mapping can give a single
block that is very large split across multiple SG entries.

When __rdma_block_iter_next() reassembles the split SG entries it is
overflowing the 32 bit stack values and computed the wrong DMA addresses
for blocks after the truncation.

Use the right types to hold DMA addresses.
Published: 2026-06-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel contains a 32‑bit integer overflow in the RDMA/umem subsystem, classified as CWE‑681. When an IOMMU is used, a large linear memory block may span multiple scatter‑gather entries. The helper function that reassembles these entries, __rdma_block_iter_next(), writes the DMA addresses into 32‑bit stack variables, truncating the value for blocks that are 4 GB or larger. The truncated addresses can lead to memory mapping that does not correspond to the intended buffer, potentially allowing a buffer overflow or accidental sharing of memory between unrelated RDMA operations. The attack outcome could be data corruption or leakage of confidential information, although the detailed impact on confidentiality and integrity is not explicitly described in the advisory.

Affected Systems

All Linux kernel releases that compile the RDMA/umem subsystem with IOMMU support and have not incorporated the patch are vulnerable. This includes most mainstream distributions that ship a recent kernel and enable RDMA for storage or networking workloads that may use buffers of four gigabytes or more. Older kernels prior to the advisory that omitted the fix are also at risk.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, and the EPSS score of < 1 % suggests a very low likelihood of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector, based on the description, is an RDMA operation with a block size of at least 4 GB on a system where IOMMU is enabled—a scenario that is not typical for most environments but can occur in high‑performance compute or storage clusters that use large RDMA buffers.

Generated by OpenCVE AI on June 28, 2026 at 13:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the RDMA/umem truncation fix
  • If a kernel upgrade is not immediately available, disable IOMMU support for RDMA traffic on the affected nodes
  • Configure RDMA applications to avoid allocating buffer blocks larger than 4 GB until the patch is applied

Generated by OpenCVE AI on June 28, 2026 at 13:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-681
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: RDMA/umem: Fix truncation for block sizes >= 4G When the iommu is used the linearization of the mapping can give a single block that is very large split across multiple SG entries. When __rdma_block_iter_next() reassembles the split SG entries it is overflowing the 32 bit stack values and computed the wrong DMA addresses for blocks after the truncation. Use the right types to hold DMA addresses.
Title RDMA/umem: Fix truncation for block sizes >= 4G
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:39:28.012Z

Reserved: 2026-06-09T07:44:35.386Z

Link: CVE-2026-53133

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53133 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:45:06Z

Weaknesses
  • CWE-681

    Incorrect Conversion between Numeric Types