CVE-2026-31425 | Linux Kernel up to 6.1.167/6.6.133/6.12.80/6.18.21/6.19.11 Control Message rds_ib_get_mr null pointer dereference
VulDBArchived Apr 13, 2026✓ Full text saved
A vulnerability classified as critical has been found in Linux Kernel up to 6.1.167/6.6.133/6.12.80/6.18.21/6.19.11 . Impacted is the function rds_ib_get_mr of the component Control Message Handler . Performing a manipulation results in null pointer dereference. This vulnerability was named CVE-2026-31425 . The attack needs to be approached within the local network. There is no available exploit. It is recommended to upgrade the affected component.
Full text archived locally
✦ AI Summary· Claude Sonnet
VDB-357154 · CVE-2026-31425 · GCVE-0-2026-31425
LINUX KERNEL UP TO 6.1.167/6.6.133/6.12.80/6.18.21/6.19.11 CONTROL MESSAGE RDS_IB_GET_MR NULL POINTER DEREFERENCE
HISTORYDIFFRELATEJSONXMLCTI
CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score
4.6 $0-$5k 1.50+
Summaryinfo
A vulnerability classified as critical was found in Linux Kernel up to 6.1.167/6.6.133/6.12.80/6.18.21/6.19.11. The affected element is the function rds_ib_get_mr of the component Control Message Handler. Executing a manipulation can lead to null pointer dereference. The identification of this vulnerability is CVE-2026-31425. There is no exploit available. Upgrading the affected component is advised.
Detailsinfo
A vulnerability was found in Linux Kernel up to 6.1.167/6.6.133/6.12.80/6.18.21/6.19.11. It has been declared as critical. This vulnerability affects the function rds_ib_get_mr of the component Control Message Handler. The manipulation with an unknown input leads to a null pointer dereference vulnerability. The CWE definition for the vulnerability is CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. As an impact it is known to affect availability. CVE summarizes:
In the Linux kernel, the following vulnerability has been resolved: rds: ib: reject FRMR registration before IB connection is established rds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data and passes it to rds_ib_reg_frmr() for FRWR memory registration. On a fresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with i_cm_id = NULL because the connection worker has not yet called rds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with RDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses the control message before any connection establishment, allowing rds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash the kernel. The existing guard in rds_ib_reg_frmr() only checks for !ic (added in commit 9e630bcb7701), which does not catch this case since ic is allocated early and is always non-NULL once the connection object exists. KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920 Call Trace: rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167) rds_ib_map_frmr (net/rds/ib_frmr.c:252) rds_ib_reg_frmr (net/rds/ib_frmr.c:430) rds_ib_get_mr (net/rds/ib_rdma.c:615) __rds_rdma_map (net/rds/rdma.c:295) rds_cmsg_rdma_map (net/rds/rdma.c:860) rds_sendmsg (net/rds/send.c:1363) ____sys_sendmsg do_syscall_64 Add a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all non-NULL before proceeding with FRMR registration, mirroring the guard already present in rds_ib_post_inv(). Return -ENODEV when the connection is not ready, which the existing error handling in rds_cmsg_send() converts to -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to start the connection worker.
The advisory is available at git.kernel.org. This vulnerability was named CVE-2026-31425 since 03/09/2026. The exploitation appears to be difficult. Technical details are known, but there is no available exploit.
Upgrading to version 6.1.168, 6.6.134, 6.12.81, 6.18.22 or 6.19.12 eliminates this vulnerability. Applying the patch 450ec93c0f172374acbf236f1f5f02d53650aa2d/6b0a8de67ac0c74e1a7df92b73c862cb36780dfc/a5bfd14c9a299e6db4add4440430ee5e010b03ad/23e07c340c445f0ebff7757ba15434cb447eb662/47de5b73db3b88f45c107393f26aeba26e9e8fae/a54ecccfae62c5c85259ae5ea5d9c20009519049 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
Productinfo
Type
Operating System
Vendor
Linux
Name
Kernel
Version
6.1.167
6.6.133
6.12.0
6.12.1
6.12.2
6.12.3
6.12.4
6.12.5
6.12.6
6.12.7
6.12.8
6.12.9
6.12.10
6.12.11
6.12.12
6.12.13
6.12.14
6.12.15
6.12.16
6.12.17
6.12.18
6.12.19
6.12.20
6.12.21
6.12.22
6.12.23
6.12.24
6.12.25
6.12.26
6.12.27
6.12.28
6.12.29
6.12.30
6.12.31
6.12.32
6.12.33
6.12.34
6.12.35
6.12.36
6.12.37
6.12.38
6.12.39
6.12.40
6.12.41
6.12.42
6.12.43
6.12.44
6.12.45
6.12.46
6.12.47
6.12.48
6.12.49
6.12.50
6.12.51
6.12.52
6.12.53
6.12.54
6.12.55
6.12.56
6.12.57
6.12.58
6.12.59
6.12.60
6.12.61
6.12.62
6.12.63
6.12.64
6.12.65
6.12.66
6.12.67
6.12.68
6.12.69
6.12.70
6.12.71
6.12.72
6.12.73
6.12.74
6.12.75
6.12.76
6.12.77
6.12.78
6.12.79
6.12.80
6.18.0
6.18.1
6.18.2
6.18.3
6.18.4
6.18.5
6.18.6
6.18.7
6.18.8
6.18.9
6.18.10
6.18.11
6.18.12
6.18.13
6.18.14
6.18.15
6.18.16
6.18.17
6.18.18
6.18.19
6.18.20
6.18.21
6.19.0
6.19.1
6.19.2
6.19.3
6.19.4
6.19.5
6.19.6
6.19.7
6.19.8
6.19.9
6.19.10
6.19.11
License
open-source
Website
Vendor: https://www.kernel.org/
CPE 2.3info
🔒
🔒
🔒
CPE 2.2info
🔒
🔒
🔒
CVSSv4info
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv3info
VulDB Meta Base Score: 4.8
VulDB Meta Temp Score: 4.6
VulDB Base Score: 4.8
VulDB Temp Score: 4.6
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv2info
Vector Complexity Authentication Confidentiality Integrity Availability
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploitinginfo
Class: Null pointer dereference
CWE: CWE-476 / CWE-404
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Partially
Availability: 🔒
Status: Not defined
Price Prediction: 🔍
Current Price Estimation: 🔒
0-Day Unlock Unlock Unlock Unlock
Today Unlock Unlock Unlock Unlock
Threat Intelligenceinfo
Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍
Countermeasuresinfo
Recommended: Upgrade
Status: 🔍
0-Day Time: 🔒
Upgrade: Kernel 6.1.168/6.6.134/6.12.81/6.18.22/6.19.12
Patch: 450ec93c0f172374acbf236f1f5f02d53650aa2d/6b0a8de67ac0c74e1a7df92b73c862cb36780dfc/a5bfd14c9a299e6db4add4440430ee5e010b03ad/23e07c340c445f0ebff7757ba15434cb447eb662/47de5b73db3b88f45c107393f26aeba26e9e8fae/a54ecccfae62c5c85259ae5ea5d9c20009519049
Timelineinfo
03/09/2026 CVE reserved
04/13/2026 +34 days Advisory disclosed
04/13/2026 +0 days VulDB entry created
04/13/2026 +0 days VulDB entry last update
Sourcesinfo
Vendor: kernel.org
Advisory: git.kernel.org
Status: Confirmed
CVE: CVE-2026-31425 (🔒)
GCVE (CVE): GCVE-0-2026-31425
GCVE (VulDB): GCVE-100-357154
Entryinfo
Created: 04/13/2026 16:06
Changes: 04/13/2026 16:06 (59)
Complete: 🔍
Cache ID: 99:EF5:101
Discussion
No comments yet. Languages: en.
Please log in to comment.
◂ PreviousOverviewNext ▸