PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31425 Linux CVE debrief

CVE-2026-31425 is a Linux kernel availability issue in the RDS over InfiniBand path. On a fresh outgoing connection, the code can reach FRMR memory registration before the RDMA connection is fully established, which can lead to a null pointer dereference and kernel crash. NVD rates the issue MEDIUM with local attack requirements and high availability impact. The issue was published on 2026-04-13 and updated on 2026-05-20 with stable-kernel patch references.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-13
Original CVE updated
2026-05-20
Advisory published
2026-04-13
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distro security teams, and operators running RDS over InfiniBand/RDMA on affected kernel branches should care most. Hosts that accept untrusted local users or container workloads are especially relevant because the attack path is local and requires sendmsg-based interaction with the RDS RDMA map control message.

Technical summary

The supplied description says rds_ib_get_mr() can be called from the sendmsg() control-message path before the InfiniBand connection has been established. In that state, ic may exist while ic->i_cm_id and the associated qp are still NULL. The code then proceeds into rds_ib_reg_frmr() and rds_ib_post_reg_frmr(), where dereferencing ic->i_cm_id->qp can trigger a null pointer dereference. The fix adds readiness checks in rds_ib_get_mr() so FRMR registration only proceeds when ic, i_cm_id, and qp are all non-NULL, and otherwise returns -ENODEV for higher-level retry handling.

Defensive priority

Medium. This is a kernel crash/denial-of-service flaw rather than a code-execution issue in the supplied record, but it affects a privileged core component and is reachable through a local path on systems using RDS over IB.

Recommended defensive actions

  • Apply the Linux stable kernel updates that include the supplied RDS/IB FRMR fix references.
  • Verify whether any deployed kernel line matches the vulnerable ranges listed by NVD, including long-term support branches back to 4.6 and current 7.0 release candidates.
  • If RDS over InfiniBand is not required, consider disabling or restricting the feature set on affected systems until patched.
  • Treat unexpected kernel crashes involving rds_ib_post_reg_frmr, rds_ib_map_frmr, or rds_ib_get_mr as a remediation signal and correlate with local sendmsg()/RDS RDMA map activity.
  • Prioritize patching multi-user systems and environments where untrusted local code can run.

Evidence notes

This debrief is based only on the supplied CVE description, the NVD record metadata, and the official Linux stable patch references. The supplied text explicitly identifies the failing flow in rds_ib_get_mr()/rds_ib_post_reg_frmr(), the null dereference condition involving ic->i_cm_id->qp, the kernel crash outcome, and the intended fix. NVD supplies the affected kernel version ranges and the CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Official resources

CVE-2026-31425 was published on 2026-04-13T14:16:12.420Z and updated on 2026-05-20T17:56:52.097Z. The provided record does not include a separate upstream disclosure timestamp beyond those CVE lifecycle dates.