In the Linux kernel, the following vulnerability has been resolved:
net/rds: zero per-item info buffer before handing it to visitors
rdsforeachconninfo() and rdswalkconnpathinfo() both hand a caller-allocated on-stack u64 buffer to a per-connection visitor and then copy the full itemlen bytes back to user space via rdsinfo_copy() regardless of how much of the buffer the visitor actually wrote.
rdsibconninfovisitor() and rds6ibconninfovisitor() only write a subset of their output struct when the underlying rdsconnection is not in state RDSCONNUP (src/dst addr, tos, sl and the two GIDs via explicit memsets). Several u32 fields (maxsendwr, maxrecvwr, maxsendsge, rdmamrmax, rdmamrsize, cacheallocs) and the 2-byte alignment hole between sl and cacheallocs remain as whatever stack contents preceded the visitor call and are then memcpyto_user()'d out to user space.
struct rdsinfordmaconnection and struct rds6infordmaconnection are the only rdsinfo* structs in include/uapi/linux/rds.h that are not marked attribute((packed)), so they have a real alignment hole. The other info visitors (rdsconninfovisitor, rds6conninfovisitor, rdstcptc_info, ...) write all fields of their packed output struct today and are not known to be vulnerable, but a future visitor that adds a conditional write-path would have the same bug.
Reproduction on a kernel built without CONFIGINITSTACKALLZERO=y: a local unprivileged user opens AFRDS, sets SORDSTRANSPORT=IB, binds to a local address on an RDMA-capable netdev (rxe soft-RoCE on any netdev is sufficient), sendto()'s any peer on the same subnet (fails cleanly but installs an rdsconnection in the global hash in RDSCONNCONNECTING), then calls getsockopt(SOLRDS, RDSINFOIBCONNECTIONS). The returned 68-byte item contains 26 bytes of stack garbage including kernel text/data pointers:
0..7 0a 63 00 01 0a 63 00 02 src=10.99.0.1 dst=10.99.0.2
8..39 00 ... gids (memset-zeroed)
40..47 e0 92 a3 81 ff ff ff ff kernel pointer (max_send_wr)
48..55 7f 37 b5 81 ff ff ff ff kernel pointer (rdma_mr_max)
56..59 01 00 08 00 rdma_mr_size (garbage)
60..61 00 00 tos, sl
62..63 00 00 alignment padding
64..67 18 00 00 00 cache_allocs (garbage)
Fix by zeroing the per-item buffer in both rdsforeachconninfo() and rdswalkconnpathinfo() before invoking the visitor. This covers the IPv4/IPv6 IB visitors and hardens all current and future visitors against the same class of bug.
No functional change for visitors that fully populate their output.
Changes in v2: - retarget at the net tree (subject prefix "[PATCH net v2]", net/rds: prefix in the title) - pick up Reviewed-by tags from Sharath Srinivasan and Allison Henderson
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52995.json",
"cna_assigner": "Linux"
}