Description
In the Linux kernel, the following vulnerability has been resolved:

RDMA/core: Validate the passed in fops for ib_get_ucaps()

Sashiko pointed out it is not safe to rely only on the devt because
char/block alias so if the user finds a block device with the same dev_t
it can masquerade as a ucap cdev fd.

Test the f_ops to only accept authentic cdevs.
Published: 2026-06-25
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel's ib_get_ucaps() function validates the file operations of a user-provided device without checking the device type, relying solely on the device type identifier. An attacker can create a block device that shares the same device identifier as the expected character device, causing the kernel to treat the block device as the RDMA user capabilities device. This misidentification can allow the attacker to invoke operations on the kernel with the wrong permissions, potentially leading to local privilege escalation or unauthorized actions against the RDMA subsystem.

Affected Systems

The flaw exists in the Linux kernel, affecting all deployments that use the RDMA core subsystem and rely on the ib_get_ucaps() function. No specific version range is listed, so any kernel that has not yet been patched for this check is potentially vulnerable.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not currently listed in the CISA KEV catalog, indicating that widespread exploitation has not been observed yet. However, because the flaw can be triggered by a local user who can craft a specific block device, the risk remains high for systems where RDMA is enabled and the kernel has not been updated. Attackers would need local access or the ability to influence device creation, but once they do, they can gain unauthorized capabilities through the RDMA path.

Generated by OpenCVE AI on June 25, 2026 at 10:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that implements the proper fops validation for ib_get_ucaps().
  • If an immediate kernel update is not possible, disable the RDMA subsystem or unload the ib core modules until the patched kernel is available.
  • Monitor system logs for attempts to create block devices that could masquerade as RDMA character devices and investigate any suspicious activity.

Generated by OpenCVE AI on June 25, 2026 at 10:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Validate the passed in fops for ib_get_ucaps() Sashiko pointed out it is not safe to rely only on the devt because char/block alias so if the user finds a block device with the same dev_t it can masquerade as a ucap cdev fd. Test the f_ops to only accept authentic cdevs.
Title RDMA/core: Validate the passed in fops for ib_get_ucaps()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:00.960Z

Reserved: 2026-06-09T07:44:35.390Z

Link: CVE-2026-53188

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T11:00:11Z

Weaknesses