This flaw resides in the Linux kernel’s RDMA subsystem. User space can pass a CPU identifier through UVERBS_ATTR_ALLOC_DMAH_CPU_ID without kernel validation. The value is directly supplied to cpumask_test_cpu(), which can read beyond the end of the CPU mask bitmap. When a kernel built with CONFIG_DEBUG_PER_CPU_MAPS is used, the missing check triggers WARN_ON_ONCE; if panic_on_warn is enabled, the untrusted input can reliably cause a system reboot. The only direct impact is a denial of service via an out‑of‑bounds read, with no known path for information disclosure or privilege escalation, as the code path is confined within the kernel’s RDMA handling.

All Linux kernel releases containing the RDMA core and uverbs driver before the applied fix are affected. The vulnerability is not limited to a specific version string, so any kernel compiled with RDMA support that omitted the patch is vulnerable. Systems that load the RDMA core module or have it built into the kernel at boot are at risk.

The CVSS and EPSS scores are not available, and the flaw is not listed in CISA’s KEV catalog. Attack requires a local user or process with the ability to issue RDMA allocation requests, as the flaw is triggered through the UVERBS interface. Because the exploit path involves unvalidated user data, the difficulty of exploitation is moderate to high: the attacker must supply a kernel‑space allocation request with an out‑of‑range CPU ID. No public exploits exist, but the return to a system reboot renders the flaw severe for impacted environments, especially those compiled with panic_on_warn turned on.