PatchSiren cyber security CVE debrief
CVE-2026-52995 Linux CVE debrief
A local unprivileged user can exploit a vulnerability in the Linux kernel's RDS (Reliable Datagram Service) subsystem. The issue arises from the failure to zero a per-item info buffer before handing it to visitors, potentially leaking sensitive stack contents, including kernel text and data pointers, to user space. This can occur when a user opens an AF_RDS socket, sets SO_RDS_TRANSPORT=IB, binds to a local address on an RDMA-capable netdev, sends a message to any peer on the same subnet, and then calls getsockopt(SOL_RDS, RDS_INFO_IB_CONNECTIONS). The returned item may contain stack garbage, including kernel pointers and other sensitive information. The vulnerability was resolved by zeroing the per-item buffer in both rds_for_each_conn_info() and rds_walk_conn_path_info() before invoking the visitor. This fix covers the IPv4/IPv6 IB visitors and hardens all current and future visitors against the same class of bug.
- Vendor
- Linux
- Product
- Unknown
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-24
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-06-24
- Advisory updated
- 2026-07-10
Who should care
System administrators and users of Linux-based systems should be aware of this vulnerability, especially those with unprivileged user access. This vulnerability could potentially be used to gather sensitive information about the system's memory layout.
Technical summary
The vulnerability exists in the RDS subsystem of the Linux kernel. Specifically, the functions rds_for_each_conn_info() and rds_walk_conn_path_info() hand a caller-allocated on-stack u64 buffer to a per-connection visitor and then copy the full item_len bytes back to user space via rds_info_copy(). If the visitor does not fully populate the buffer, it may contain stack garbage, including kernel pointers and other sensitive information. This can be exploited by a local unprivileged user who can open an AF_RDS socket, set SO_RDS_TRANSPORT=IB, bind to a local address on an RDMA-capable netdev, sendto() to any peer on the same subnet, and then call getsockopt(SOL_RDS, RDS_INFO_IB_CONNECTIONS) to receive the 68-byte item containing stack garbage.
Defensive priority
High
Recommended defensive actions
- Apply the official patch or update to a fixed kernel version
- Restrict access to RDS functionality for unprivileged users
- Monitor system logs for suspicious RDS activity
- Consider implementing additional security controls, such as SELinux or AppArmor policies, to limit RDS usage
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The vulnerability was resolved by zeroing the per-item buffer in both rds_for_each_conn_info() and rds_walk_conn_path_info() before invoking the visitor. This fix covers the IPv4/IPv6 IB visitors and hardens all current and future visitors against the same class of bug.
Official resources
-
CVE-2026-52995 CVE record
CVE.org
-
CVE-2026-52995 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-24T17:17:10.423Z and has not been modified since then.