Impact
The Linux kernel contains a 32‑bit integer overflow in the RDMA/umem subsystem, classified as CWE‑681. When an IOMMU is used, a large linear memory block may span multiple scatter‑gather entries. The helper function that reassembles these entries, __rdma_block_iter_next(), writes the DMA addresses into 32‑bit stack variables, truncating the value for blocks that are 4 GB or larger. The truncated addresses can lead to memory mapping that does not correspond to the intended buffer, potentially allowing a buffer overflow or accidental sharing of memory between unrelated RDMA operations. The attack outcome could be data corruption or leakage of confidential information, although the detailed impact on confidentiality and integrity is not explicitly described in the advisory.
Affected Systems
All Linux kernel releases that compile the RDMA/umem subsystem with IOMMU support and have not incorporated the patch are vulnerable. This includes most mainstream distributions that ship a recent kernel and enable RDMA for storage or networking workloads that may use buffers of four gigabytes or more. Older kernels prior to the advisory that omitted the fix are also at risk.
Risk and Exploitability
The CVSS score of 7.8 indicates a high severity, and the EPSS score of < 1 % suggests a very low likelihood of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector, based on the description, is an RDMA operation with a block size of at least 4 GB on a system where IOMMU is enabled—a scenario that is not typical for most environments but can occur in high‑performance compute or storage clusters that use large RDMA buffers.
OpenCVE Enrichment
Debian DLA