{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31425", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.088Z", "datePublished": "2026-04-13T13:40:28.911Z", "dateUpdated": "2026-05-11T22:08:27.602Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:08:27.602Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrds: ib: reject FRMR registration before IB connection is established\n\nrds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data\nand passes it to rds_ib_reg_frmr() for FRWR memory registration. On a\nfresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with\ni_cm_id = NULL because the connection worker has not yet called\nrds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with\nRDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses\nthe control message before any connection establishment, allowing\nrds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash the\nkernel.\n\nThe existing guard in rds_ib_reg_frmr() only checks for !ic (added in\ncommit 9e630bcb7701), which does not catch this case since ic is allocated\nearly and is always non-NULL once the connection object exists.\n\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920\n Call Trace:\n rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167)\n rds_ib_map_frmr (net/rds/ib_frmr.c:252)\n rds_ib_reg_frmr (net/rds/ib_frmr.c:430)\n rds_ib_get_mr (net/rds/ib_rdma.c:615)\n __rds_rdma_map (net/rds/rdma.c:295)\n rds_cmsg_rdma_map (net/rds/rdma.c:860)\n rds_sendmsg (net/rds/send.c:1363)\n ____sys_sendmsg\n do_syscall_64\n\nAdd a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all\nnon-NULL before proceeding with FRMR registration, mirroring the guard\nalready present in rds_ib_post_inv(). Return -ENODEV when the connection\nis not ready, which the existing error handling in rds_cmsg_send() converts\nto -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to\nstart the connection worker."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/rds/ib_rdma.c"], "versions": [{"version": "1659185fb4d0025835eb2058a141f0746c5cab00", "lessThan": "c506456ebf84c50ed9327473d4e9bd905def212b", "status": "affected", "versionType": "git"}, {"version": "1659185fb4d0025835eb2058a141f0746c5cab00", "lessThan": "82e4a3b56b23b844802056c9e75a39d24169b0a4", "status": "affected", "versionType": "git"}, {"version": "1659185fb4d0025835eb2058a141f0746c5cab00", "lessThan": "450ec93c0f172374acbf236f1f5f02d53650aa2d", "status": "affected", "versionType": "git"}, {"version": "1659185fb4d0025835eb2058a141f0746c5cab00", "lessThan": "6b0a8de67ac0c74e1a7df92b73c862cb36780dfc", "status": "affected", "versionType": "git"}, {"version": "1659185fb4d0025835eb2058a141f0746c5cab00", "lessThan": "a5bfd14c9a299e6db4add4440430ee5e010b03ad", "status": "affected", "versionType": "git"}, {"version": "1659185fb4d0025835eb2058a141f0746c5cab00", "lessThan": "23e07c340c445f0ebff7757ba15434cb447eb662", "status": "affected", "versionType": "git"}, {"version": "1659185fb4d0025835eb2058a141f0746c5cab00", "lessThan": "47de5b73db3b88f45c107393f26aeba26e9e8fae", "status": "affected", "versionType": "git"}, {"version": "1659185fb4d0025835eb2058a141f0746c5cab00", "lessThan": "a54ecccfae62c5c85259ae5ea5d9c20009519049", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/rds/ib_rdma.c"], "versions": [{"version": "4.6", "status": "affected"}, {"version": "0", "lessThan": "4.6", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.134", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.81", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.22", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.12", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "6.6.134"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "6.12.81"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "6.18.22"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "6.19.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c506456ebf84c50ed9327473d4e9bd905def212b"}, {"url": "https://git.kernel.org/stable/c/82e4a3b56b23b844802056c9e75a39d24169b0a4"}, {"url": "https://git.kernel.org/stable/c/450ec93c0f172374acbf236f1f5f02d53650aa2d"}, {"url": "https://git.kernel.org/stable/c/6b0a8de67ac0c74e1a7df92b73c862cb36780dfc"}, {"url": "https://git.kernel.org/stable/c/a5bfd14c9a299e6db4add4440430ee5e010b03ad"}, {"url": "https://git.kernel.org/stable/c/23e07c340c445f0ebff7757ba15434cb447eb662"}, {"url": "https://git.kernel.org/stable/c/47de5b73db3b88f45c107393f26aeba26e9e8fae"}, {"url": "https://git.kernel.org/stable/c/a54ecccfae62c5c85259ae5ea5d9c20009519049"}], "title": "rds: ib: reject FRMR registration before IB connection is established", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrds: ib: reject FRMR registration before IB connection is established\n\nrds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data\nand passes it to rds_ib_reg_frmr() for FRWR memory registration. On a\nfresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with\ni_cm_id = NULL because the connection worker has not yet called\nrds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with\nRDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses\nthe control message before any connection establishment, allowing\nrds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash the\nkernel.\n\nThe existing guard in rds_ib_reg_frmr() only checks for !ic (added in\ncommit 9e630bcb7701), which does not catch this case since ic is allocated\nearly and is always non-NULL once the connection object exists.\n\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920\n Call Trace:\n rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167)\n rds_ib_map_frmr (net/rds/ib_frmr.c:252)\n rds_ib_reg_frmr (net/rds/ib_frmr.c:430)\n rds_ib_get_mr (net/rds/ib_rdma.c:615)\n __rds_rdma_map (net/rds/rdma.c:295)\n rds_cmsg_rdma_map (net/rds/rdma.c:860)\n rds_sendmsg (net/rds/send.c:1363)\n ____sys_sendmsg\n do_syscall_64\n\nAdd a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all\nnon-NULL before proceeding with FRMR registration, mirroring the guard\nalready present in rds_ib_post_inv(). Return -ENODEV when the connection\nis not ready, which the existing error handling in rds_cmsg_send() converts\nto -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to\nstart the connection worker."}], "id": "CVE-2026-31425", "lastModified": "2026-04-18T09:16:32.637", "metrics": {}, "published": "2026-04-13T14:16:12.420", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/23e07c340c445f0ebff7757ba15434cb447eb662"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/450ec93c0f172374acbf236f1f5f02d53650aa2d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/47de5b73db3b88f45c107393f26aeba26e9e8fae"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6b0a8de67ac0c74e1a7df92b73c862cb36780dfc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/82e4a3b56b23b844802056c9e75a39d24169b0a4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a54ecccfae62c5c85259ae5ea5d9c20009519049"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a5bfd14c9a299e6db4add4440430ee5e010b03ad"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c506456ebf84c50ed9327473d4e9bd905def212b"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: rds: ib: reject FRMR registration before IB connection is established", "id": "2457836", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457836"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["A flaw was found in the Linux kernel. A local user can trigger a null pointer dereference in the Reliable Datagram Sockets (RDS) over InfiniBand (IB) component. This occurs when `sendmsg()` with `RDS_CMSG_RDMA_MAP` is called on a new outgoing connection before the IB connection is fully established. Successful exploitation leads to a kernel crash, resulting in a Denial of Service (DoS)."], "name": "CVE-2026-31425", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31425\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31425\nhttps://lore.kernel.org/linux-cve-announce/2026041357-CVE-2026-31425-40d3@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1659185fb4d0025835eb2058a141f0746c5cab00,450ec93c0f172374acbf236f1f5f02d53650aa2d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1659185fb4d0025835eb2058a141f0746c5cab00,6b0a8de67ac0c74e1a7df92b73c862cb36780dfc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1659185fb4d0025835eb2058a141f0746c5cab00,a5bfd14c9a299e6db4add4440430ee5e010b03ad)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1659185fb4d0025835eb2058a141f0746c5cab00,23e07c340c445f0ebff7757ba15434cb447eb662)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1659185fb4d0025835eb2058a141f0746c5cab00,47de5b73db3b88f45c107393f26aeba26e9e8fae)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1659185fb4d0025835eb2058a141f0746c5cab00,a54ecccfae62c5c85259ae5ea5d9c20009519049)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.6"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,4.6)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.134,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.81,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.22,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.12,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-14T01:37:36.614098+00:00", "value": {"mitigation_remediation": ["Upgrade the kernel to a version that includes the rds: ib null pointer dereference fix (commit 23e07c340c445f0ebff7757ba15434cb447eb662 or newer).", "If an immediate kernel upgrade is not possible, restart the system to clear any affected socket state and mitigate the risk of accidental crashes.", "Verify that no RDS_CMSG_RDMA_MAP control messages are sent before the RDMA connection is established; consider updating applications to ensure proper connection sequencing."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include the vulnerable rds_ib_get_mr implementation are affected. The vulnerability is present until the patch included in commit 23e07c340c445f0ebff7757ba15434cb447eb662 (and related commits) is applied. No specific vendor version ranges are provided, so any kernel version before this fix should be considered vulnerable.", "description_and_impact": "This vulnerability occurs in the Linux kernel RDS IB module. The code attempts to register a memory region (FRMR) before the underlying RDMA connection is fully established, causing a null\u2011pointer dereference in rds_ib_post_reg_frmr. The resulting kernel fault crashes the system, providing a denial\u2011of\u2011service vector. The weakness corresponds to a null pointer dereference (CWE\u2011476).", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower likelihood of widespread exploitation. The attack vector is inferred to be local: an application with permission to call sendmsg on an RDS socket can trigger the fault before the RDMA connection is established. While the impact is limited to a kernel crash, the risk remains significant for critical systems that rely on uninterrupted kernel operation."}}}}, "created": "2026-04-14T16:19:15.197322+00:00", "updated": "2026-04-14T16:34:23.489891+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}