Description
In the Linux kernel, the following vulnerability has been resolved:

RDMA/srp: bound SRP_RSP sense copy by the received length

srp_process_rsp() copies sense data from rsp->data + resp_data_len,
where resp_data_len is the full 32-bit value supplied by the SRP target
and is never checked against the number of bytes actually received
(wc->byte_len). The copy length is bounded to SCSI_SENSE_BUFFERSIZE, so
at most 96 bytes are copied, but the source offset is not bounded.

A malicious or compromised SRP target on the InfiniBand/RoCE fabric that
the initiator has logged into can return an SRP_RSP with
SRP_RSP_FLAG_SNSVALID set and a large resp_data_len. The receive buffer
is allocated at the target-chosen max_ti_iu_len, so the source of the
sense copy lands past the bytes actually received; with resp_data_len
near 0xFFFFFFFF it is gigabytes past the buffer and the read faults.

Copy the sense data only if it has not been truncated, that is, only if
the response header, the response data, and the sense region fit within
the bytes actually received; otherwise drop the sense and log. The
in-tree iSER and NVMe-RDMA receive paths already bound their parse by
wc->byte_len; this brings ib_srp into line with them.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs in the Linux kernel's RDMA SRP subsystem when the routine srp_process_rsp() copies sense data from the SRP target response using a length supplied by the target (resp_data_len). This length is never limited by the actual number of bytes received, leading to a‑bounds read. The copy operation is capped at the maximum sense buffer size of 96 bytes, but the source offset can be far beyond the received data. An attacker who can influence the SRP target can send a response with a very large resp_data_len, causing the kernel to read beyond the bounds of the receive buffer, which may result in a kernel fault or exposure of sensitive kernel memory. This constitutes a CWE‑130 weakness and the primary impact is accidental disclosure of kernel memory contents or denial of service via a crash.

Affected Systems

The flaw is present in the Linux kernel; the affected product is the kernel itself on any machine using the RDMA SRP protocol, regardless of distribution or kernel variant. No specific version range is provided, but the issue is fixed in later kernel releases that enforce proper bounds checking on the response length.

Risk and Exploitability

An EPSS score of < 1% is available, indicating a very low but nonzero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The vulnerability requires a compromised or malicious SRP target within the InfiniBand/RoCE fabric that the Linux system has logged into. While the attack surface is limited to environments using the SRP RDMA protocol, the lack of bounds validation makes exploitation likely if the attacker can send crafted responses. The risk level is considered high in affected deployments, but the exact exploitation probability remains uncertain due to the low EPSS score.

Generated by OpenCVE AI on June 26, 2026 at 14:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that incorporates the fix for the SRP sense copy bounds check, as available from the distribution vendor or upstream Linux kernel maintainers.
  • Restrict or monitor access to RDMA SRP targets prevent malicious or compromised devices from sending crafted responses.
  • If an immediate kernel update is not possible, consider using network segmentation or firewalls to limit exposure of the RDMA/RoCE ingress ports to trusted hosts.

Generated by OpenCVE AI on June 26, 2026 at 14:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-130
References

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: RDMA/srp: bound SRP_RSP sense copy by the received length srp_process_rsp() copies sense data from rsp->data + resp_data_len, where resp_data_len is the full 32-bit value supplied by the SRP target and is never checked against the number of bytes actually received (wc->byte_len). The copy length is bounded to SCSI_SENSE_BUFFERSIZE, so at most 96 bytes are copied, but the source offset is not bounded. A malicious or compromised SRP target on the InfiniBand/RoCE fabric that the initiator has logged into can return an SRP_RSP with SRP_RSP_FLAG_SNSVALID set and a large resp_data_len. The receive buffer is allocated at the target-chosen max_ti_iu_len, so the source of the sense copy lands past the bytes actually received; with resp_data_len near 0xFFFFFFFF it is gigabytes past the buffer and the read faults. Copy the sense data only if it has not been truncated, that is, only if the response header, the response data, and the sense region fit within the bytes actually received; otherwise drop the sense and log. The in-tree iSER and NVMe-RDMA receive paths already bound their parse by wc->byte_len; this brings ib_srp into line with them.
Title RDMA/srp: bound SRP_RSP sense copy by the received length
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:38:59.508Z

Reserved: 2026-06-09T07:44:35.390Z

Link: CVE-2026-53186

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53186 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T14:30:17Z

Weaknesses
  • CWE-130

    Improper Handling of Length Parameter Inconsistency