Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-52995— net/rds: zero per-item info buffer before handing it to visitors

EPSS 0.18% · P7
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-52995

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
net/rds: zero per-item info buffer before handing it to visitors
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net/rds: zero per-item info buffer before handing it to visitors rds_for_each_conn_info() and rds_walk_conn_path_info() both hand a caller-allocated on-stack u64 buffer to a per-connection visitor and then copy the full item_len bytes back to user space via rds_info_copy() regardless of how much of the buffer the visitor actually wrote. rds_ib_conn_info_visitor() and rds6_ib_conn_info_visitor() only write a subset of their output struct when the underlying rds_connection is not in state RDS_CONN_UP (src/dst addr, tos, sl and the two GIDs via explicit memsets). Several u32 fields (max_send_wr, max_recv_wr, max_send_sge, rdma_mr_max, rdma_mr_size, cache_allocs) and the 2-byte alignment hole between sl and cache_allocs remain as whatever stack contents preceded the visitor call and are then memcpy_to_user()'d out to user space. struct rds_info_rdma_connection and struct rds6_info_rdma_connection are the only rds_info_* structs in include/uapi/linux/rds.h that are not marked __attribute__((packed)), so they have a real alignment hole. The other info visitors (rds_conn_info_visitor, rds6_conn_info_visitor, rds_tcp_tc_info, ...) write all fields of their packed output struct today and are not known to be vulnerable, but a future visitor that adds a conditional write-path would have the same bug. Reproduction on a kernel built without CONFIG_INIT_STACK_ALL_ZERO=y: a local unprivileged user opens AF_RDS, sets SO_RDS_TRANSPORT=IB, binds to a local address on an RDMA-capable netdev (rxe soft-RoCE on any netdev is sufficient), sendto()'s any peer on the same subnet (fails cleanly but installs an rds_connection in the global hash in RDS_CONN_CONNECTING), then calls getsockopt(SOL_RDS, RDS_INFO_IB_CONNECTIONS). The returned 68-byte item contains 26 bytes of stack garbage including kernel text/data pointers: 0..7 0a 63 00 01 0a 63 00 02 src=10.99.0.1 dst=10.99.0.2 8..39 00 ... gids (memset-zeroed) 40..47 e0 92 a3 81 ff ff ff ff kernel pointer (max_send_wr) 48..55 7f 37 b5 81 ff ff ff ff kernel pointer (rdma_mr_max) 56..59 01 00 08 00 rdma_mr_size (garbage) 60..61 00 00 tos, sl 62..63 00 00 alignment padding 64..67 18 00 00 00 cache_allocs (garbage) Fix by zeroing the per-item buffer in both rds_for_each_conn_info() and rds_walk_conn_path_info() before invoking the visitor. This covers the IPv4/IPv6 IB visitors and hardens all current and future visitors against the same class of bug. No functional change for visitors that fully populate their output. Changes in v2: - retarget at the net tree (subject prefix "[PATCH net v2]", net/rds: prefix in the title) - pick up Reviewed-by tags from Sharath Srinivasan and Allison Henderson
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux ec16227e14141e4fd7ae76354c09dadfe2449d9e ~ 81651e9d7dea1c048d2952f57632a042931d7b43 -
LinuxLinux 2.6.30 -

II. Public POCs for CVE-2026-52995

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-52995

登录查看更多情报信息。

Patches & Fixes for CVE-2026-52995 (2)

Other References for CVE-2026-52995 (6)

Same Patch Batch · Linux · 2026-06-24 · 219 CVEs total

CVE-2026-52980sched/fair: Clear rel_deadline when initializing forked entities
CVE-2026-52993tipc: fix double-free in tipc_buf_append()
CVE-2026-52991sched/psi: fix race between file release and pressure write
CVE-2026-52990fsnotify: fix inode reference leak in fsnotify_recalc_mask()
CVE-2026-52988netfilter: nf_tables: join hook list via splice_list_rcu() in commit phase
CVE-2026-52989nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
CVE-2026-52987drm/amdgpu: avoid double drm_exec_fini() in userq validate
CVE-2026-52986netfilter: nf_conntrack_sip: don't use simple_strtoul
CVE-2026-52985netdevsim: zero initialize struct iphdr in dummy sk_buff
CVE-2026-52984net/sched: netem: fix queue limit check to include reordered packets
CVE-2026-52982net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
CVE-2026-52983net: airoha: fix BQL imbalance in TX path
CVE-2026-52981neigh: let neigh_xmit take skb ownership
CVE-2026-52979net: psp: check for device unregister when creating assoc
CVE-2026-52968KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic
CVE-2026-52972crypto: af_alg - Cap AEAD AD length to 0x80000000
CVE-2026-52970netfilter: nft_ct: fix missing expect put in obj eval
CVE-2026-52969KVM: Reject wrapped offset in kvm_reset_dirty_gfn()
CVE-2026-52971net: ena: PHC: Fix potential use-after-free in get_timestamp
CVE-2026-52967smb/client: fix possible infinite loop and oob read in symlink_data()

Showing top 20 of 219 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

V. Comments for CVE-2026-52995

No comments yet


Leave a comment