CVE-2026-52939

Source
https://cve.org/CVERecord?id=CVE-2026-52939
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52939.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52939
Downstream
Related
Published
2026-06-24T07:14:28.622Z
Modified
2026-07-10T03:54:48.507141117Z
Summary
net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion
Details

In the Linux kernel, the following vulnerability has been resolved:

net/rds: fix NULL deref in rdsibsendcqehandler() on masked atomic completion

rdsibxmitatomic() always programs a masked atomic opcode (IBWRMASKEDATOMICCMPANDSWP or IBWRMASKEDATOMICFETCHANDADD) for every RDS atomic cmsg. But the completion-side switch in rdsibsendunmapop() only handles the non-masked opcodes, so a masked atomic completion falls through to default and returns rm == NULL while send->sop is left set. rdsibsendcqehandler() then dereferences the NULL rm via rm->mfinalop, oopsing in softirq context. An unprivileged AF_RDS sendmsg() of an atomic cmsg over an active RDS/IB connection triggers it; on hardware that natively accepts masked atomics (mlx4, mlx5) no extra setup is needed.

RDS/IB: rdsibsendunmapop: unexpected opcode 0xd in WR! Oops: general protection fault [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000190-0x0000000000000197] RIP: rdsibsendcqehandler+0x25c/0xb10 (net/rds/ibsend.c:282) Call Trace: <IRQ> rdsibsendcqehandler (net/rds/ibsend.c:282) pollscq (net/rds/ibcm.c:274) rdsibtaskletfnsend (net/rds/ibcm.c:294) taskletactioncommon (kernel/softirq.c:943) handlesoftirqs (kernel/softirq.c:573) run_ksoftirqd (kernel/softirq.c:479) </IRQ> Kernel panic - not syncing: Fatal exception in interrupt

Handle the masked atomic opcodes in the same case as the non-masked ones: they map to the same struct rdsmessage.atomic union member, so the existing containerof()/rdsibsendunmapatomic() body is correct for them.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52939.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
20c72bd5f5f902e5a8745d51573699605bf8d21c
Fixed
a0148342badd8c9b2e46551766a27cb76c82e715
Fixed
4dd262f875e87653df50b138de1390ab0628e6b7
Fixed
6e4615164d185a26badb2f376a2449f4d174a5f0
Fixed
0f22412a2f4fbbe0251c132abee045d15a90e5b6
Fixed
0f7baa82a24813cdad0b06a6f8f07e4824af5ed5
Fixed
dcf458120add64c96a6ef5cf719340453f6e6abf
Fixed
4fd34669558085bcb589aa2078a13b0ca79e360d
Fixed
34080db3e70ddf94c38512ad2331e3c3afca6cc1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52939.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.37
Fixed
5.10.259
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.210
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.176
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.143
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52939.json"