Description
In the Linux kernel, the following vulnerability has been resolved:

net: rds: clear i_sends on setup unwind

The RDS IB connection teardown path is written so it can run during
partial startup and on repeated shutdown attempts. It uses NULL
pointers to distinguish resources that are still owned from resources
that have already been released.

When rds_ib_setup_qp() fails after allocating i_sends but before
allocating i_recvs, the sends_out path frees i_sends without clearing
the pointer. A later shutdown pass can still treat that stale pointer
as a live send ring allocation.

Clear i_sends after vfree() in the error unwind path so the existing
shutdown logic continues to use the correct ownership state.
Published: 2026-07-01
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw occurs when the RDS InfiniBand connection setup routine fails after allocating send descriptors but before allocating receive descriptors. During the error unwind path the code frees the send descriptors but leaves the pointer intact. A later shutdown pass may still treat this stale pointer as a valid send ring, leading to incorrect resource deallocation and possible memory corruption or system instability. The weakness is a classic use‑after‑free scenario that could allow an attacker to trigger a kernel crash or denial of service if they can force the failing setup path.

Affected Systems

The vulnerability affects the Linux kernel’s RDS (Reliable Datagram Sockets) transport layer. Any Linux distribution that ships a kernel before the inclusion of the commits referenced in the CVE references is potentially vulnerable. The patch is part of the mainline kernel, so all generic Linux installations—e.g., Ubuntu, Debian, Red Hat, Fedora, CentOS—are impacted until they upgrade to a kernel that includes the fix.

Risk and Exploitability

The public CVSS, EPSS, and KEV scores are not provided, but the issue involves a low‑level kernel pointer misuse that may lead to a crash or denial of service. The required conditions are a failed RDS IB setup during a connection lifecycle, which an attacker would need to induce—most likely with local or privileged access to the system’s RDMA network stack. Although there is no indication that the vulnerability is currently being actively exploited, the lack of an EPSS score makes it difficult to assess real‑world exploitation probability. The risk level is best treated as moderate to high until the kernel is patched.

Generated by OpenCVE AI on July 1, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that contains the commit which clears i_sends during the setup unwind path (see commits included in the CVE references).
  • Reboot the system to load the updated kernel and activate the protection.
  • After reboot, monitor system logs for any abnormal shutdown or memory error messages that may indicate lingering resource deallocation issues.

Generated by OpenCVE AI on July 1, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 01 Jul 2026 13:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: rds: clear i_sends on setup unwind The RDS IB connection teardown path is written so it can run during partial startup and on repeated shutdown attempts. It uses NULL pointers to distinguish resources that are still owned from resources that have already been released. When rds_ib_setup_qp() fails after allocating i_sends but before allocating i_recvs, the sends_out path frees i_sends without clearing the pointer. A later shutdown pass can still treat that stale pointer as a live send ring allocation. Clear i_sends after vfree() in the error unwind path so the existing shutdown logic continues to use the correct ownership state.
Title net: rds: clear i_sends on setup unwind
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-01T13:32:30.831Z

Reserved: 2026-06-09T07:44:35.400Z

Link: CVE-2026-53355

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T18:30:15Z

Weaknesses