CVE-2026-52995

Source
https://cve.org/CVERecord?id=CVE-2026-52995
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52995.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52995
Downstream
Published
2026-06-24T16:29:08.229Z
Modified
2026-07-12T03:55:20.297990339Z
Summary
net/rds: zero per-item info buffer before handing it to visitors
Details

In the Linux kernel, the following vulnerability has been resolved:

net/rds: zero per-item info buffer before handing it to visitors

rdsforeachconninfo() and rdswalkconnpathinfo() both hand a caller-allocated on-stack u64 buffer to a per-connection visitor and then copy the full itemlen bytes back to user space via rdsinfo_copy() regardless of how much of the buffer the visitor actually wrote.

rdsibconninfovisitor() and rds6ibconninfovisitor() only write a subset of their output struct when the underlying rdsconnection is not in state RDSCONNUP (src/dst addr, tos, sl and the two GIDs via explicit memsets). Several u32 fields (maxsendwr, maxrecvwr, maxsendsge, rdmamrmax, rdmamrsize, cacheallocs) and the 2-byte alignment hole between sl and cacheallocs remain as whatever stack contents preceded the visitor call and are then memcpyto_user()'d out to user space.

struct rdsinfordmaconnection and struct rds6infordmaconnection are the only rdsinfo* structs in include/uapi/linux/rds.h that are not marked attribute((packed)), so they have a real alignment hole. The other info visitors (rdsconninfovisitor, rds6conninfovisitor, rdstcptc_info, ...) write all fields of their packed output struct today and are not known to be vulnerable, but a future visitor that adds a conditional write-path would have the same bug.

Reproduction on a kernel built without CONFIGINITSTACKALLZERO=y: a local unprivileged user opens AFRDS, sets SORDSTRANSPORT=IB, binds to a local address on an RDMA-capable netdev (rxe soft-RoCE on any netdev is sufficient), sendto()'s any peer on the same subnet (fails cleanly but installs an rdsconnection in the global hash in RDSCONNCONNECTING), then calls getsockopt(SOLRDS, RDSINFOIBCONNECTIONS). The returned 68-byte item contains 26 bytes of stack garbage including kernel text/data pointers:

0..7   0a 63 00 01 0a 63 00 02     src=10.99.0.1 dst=10.99.0.2
8..39  00 ...                      gids (memset-zeroed)
40..47 e0 92 a3 81 ff ff ff ff     kernel pointer (max_send_wr)
48..55 7f 37 b5 81 ff ff ff ff     kernel pointer (rdma_mr_max)
56..59 01 00 08 00                 rdma_mr_size (garbage)
60..61 00 00                       tos, sl
62..63 00 00                       alignment padding
64..67 18 00 00 00                 cache_allocs (garbage)

Fix by zeroing the per-item buffer in both rdsforeachconninfo() and rdswalkconnpathinfo() before invoking the visitor. This covers the IPv4/IPv6 IB visitors and hardens all current and future visitors against the same class of bug.

No functional change for visitors that fully populate their output.

Changes in v2: - retarget at the net tree (subject prefix "[PATCH net v2]", net/rds: prefix in the title) - pick up Reviewed-by tags from Sharath Srinivasan and Allison Henderson

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52995.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ec16227e14141e4fd7ae76354c09dadfe2449d9e
Fixed
81651e9d7dea1c048d2952f57632a042931d7b43
Fixed
0797b2e6901827694aa9c34c4c72118c8c97fba1
Fixed
5e67cc262afb384e835c3327e9d954eeaedc6a87
Fixed
b6ba93a7b71ed443c9843eb12d27ed86f1e52694
Fixed
c7cb9eed8215a790f052f49cdccf577720d2bb62
Fixed
91ce1bb6e4194dc2321748f68145359dcf86e350
Fixed
912ba2e5704fdb8bc5decda96dfc1a57838f0099
Fixed
c88eb7e8d8397a8c1db59c425332c5a30b2a1682

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52995.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.30
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52995.json"