CVE-2026-31425

Source
https://cve.org/CVERecord?id=CVE-2026-31425
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31425.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31425
Downstream
Related
Published
2026-04-13T13:40:28.911Z
Modified
2026-07-09T18:30:32.084738922Z
Summary
rds: ib: reject FRMR registration before IB connection is established
Details

In the Linux kernel, the following vulnerability has been resolved:

rds: ib: reject FRMR registration before IB connection is established

rdsibgetmr() extracts the rdsibconnection from conn->ctransportdata and passes it to rdsibregfrmr() for FRWR memory registration. On a fresh outgoing connection, ic is allocated in rdsibconnalloc() with icmid = NULL because the connection worker has not yet called rdsibconnpathconnect() to create the rdmacmid. When sendmsg() with RDSCMSGRDMAMAP is called on such a connection, the sendmsg path parses the control message before any connection establishment, allowing rdsibpostregfrmr() to dereference ic->icmid->qp and crash the kernel.

The existing guard in rdsibreg_frmr() only checks for !ic (added in commit 9e630bcb7701), which does not catch this case since ic is allocated early and is always non-NULL once the connection object exists.

KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:rdsibpostregfrmr+0x50e/0x920 Call Trace: rdsibpostregfrmr (net/rds/ibfrmr.c:167) rdsibmapfrmr (net/rds/ibfrmr.c:252) rdsibregfrmr (net/rds/ibfrmr.c:430) rdsibgetmr (net/rds/ib_rdma.c:615) __rdsrdmamap (net/rds/rdma.c:295) rdscmsgrdmamap (net/rds/rdma.c:860) rdssendmsg (net/rds/send.c:1363) ___syssendmsg dosyscall64

Add a check in rdsibgetmr() that verifies ic, icmid, and qp are all non-NULL before proceeding with FRMR registration, mirroring the guard already present in rdsibpostinv(). Return -ENODEV when the connection is not ready, which the existing error handling in rdscmsgsend() converts to -EAGAIN for userspace retry and triggers rdsconnconnectifdown() to start the connection worker.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31425.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1659185fb4d0025835eb2058a141f0746c5cab00
Fixed
c506456ebf84c50ed9327473d4e9bd905def212b
Fixed
82e4a3b56b23b844802056c9e75a39d24169b0a4
Fixed
450ec93c0f172374acbf236f1f5f02d53650aa2d
Fixed
6b0a8de67ac0c74e1a7df92b73c862cb36780dfc
Fixed
a5bfd14c9a299e6db4add4440430ee5e010b03ad
Fixed
23e07c340c445f0ebff7757ba15434cb447eb662
Fixed
47de5b73db3b88f45c107393f26aeba26e9e8fae
Fixed
a54ecccfae62c5c85259ae5ea5d9c20009519049

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31425.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.6.0
Fixed
5.10.253
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.203
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.168
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.134
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.81
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.22
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.12

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31425.json"