MEDIUM 5.5

CVE-2026-46127

A local memory safety issue exists in the Linux kernel's RDMA over Converged Ethernet (OCRDMA) driver. During certain error conditions in the protection domain setup function, the code attempts to dereference a null pointer instead of using a valid reference, potentially crashing the system. The vulnerability requires local access and specific user privileges to trigger, making it a moderate-severity issue affecting system stability rather than confidentiality or integrity.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
3 configuration(s)
Published / Modified
2026-05-28 / 2026-06-24

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46127 is a null pointer dereference vulnerability (CWE-476) in the Linux kernel RDMA/ocrdma subsystem within the ocrdma_copy_pd_uresp() function. The pd->uctx field is not initialized until late in the function execution, yet early error paths attempt to dereference this pointer, leading to a kernel crash. The fix involves using the uctx parameter that is passed into the function rather than relying on the uninitialized pd->uctx reference during error handling.

Business impact

This vulnerability impacts system availability on Linux systems running the OCRDMA driver, particularly in environments using RDMA-capable networking hardware. Exploitation results in denial of service through kernel panic, affecting workloads dependent on those systems. For organizations operating high-performance computing clusters, storage appliances, or networked systems with RDMA support, this could cause unexpected downtime and service interruption during sensitive operations.

Affected systems

The vulnerability affects the Linux kernel across multiple versions that include the OCRDMA RDMA driver. The impact is limited to systems that have OCRDMA-compatible hardware and drivers enabled. Most end-user systems are unaffected unless they specifically use RDMA networking infrastructure or specialized interconnect hardware such as that found in HPC environments, datacenters with InfiniBand deployments, or enterprise storage systems.

Exploitability

The vulnerability has a low exploitability barrier due to its straightforward nature as a null pointer dereference, but practical exploitation is constrained by access requirements. An attacker must have local access to the system and sufficient user privileges to invoke the affected code path in the RDMA subsystem. There is no evidence of exploitation in the wild (KEV status: not listed), and no known public exploit code exists, reducing immediate practical risk.

Remediation

Apply the Linux kernel patch that resolves the null pointer dereference in ocrdma_copy_pd_uresp(). The fix is a targeted change to the error handling logic within that function to use the correct, non-null uctx reference. Verify the patch against the kernel version and RDMA driver release notes provided by your Linux distribution or vendor. Affected systems should prioritize this update as part of routine kernel maintenance, particularly if RDMA hardware is actively deployed.

Patch guidance

Consult your Linux distribution's security advisories for kernel updates addressing CVE-2026-46127. Patch availability and versioning will vary by distribution (RHEL, Ubuntu, SUSE, Debian, etc.). For systems with OCRDMA drivers enabled, prioritize applying kernel updates that include this fix during regular maintenance windows. Test patches in non-production environments first, especially in HPC or storage-critical deployments where RDMA uptime is critical. Verify patch release dates align with the June 2026 modification date of this CVE.

Detection guidance

Monitor kernel logs for OCRDMA-related errors or unexpected null pointer exceptions. Correlation of system crashes with RDMA protection domain creation events during setup or error scenarios may indicate exploitation attempts. Intrusion detection systems should flag suspicious local process activities targeting RDMA driver interfaces. System administrators can use kernel debugging tools (dmesg, kmesg) and crash dump analysis to identify the ocrdma_copy_pd_uresp() function in stack traces. Performance baselines should capture any unexpected system restarts or panics on systems running OCRDMA.

Why prioritize this

This vulnerability merits standard priority for systems running OCRDMA drivers. The CVSS score of 5.5 (MEDIUM) reflects the availability impact and local access requirement. Organizations with RDMA infrastructure should address this promptly to prevent unexpected downtime, while systems without OCRDMA support can defer action. The absence of active exploitation (KEV status: false) and the requirement for local user privileges reduce urgent escalation, but the crash-inducing nature of null pointer dereferences warrants timely patching during normal maintenance cycles.

Risk score, explained

The CVSS 3.1 score of 5.5 reflects a MEDIUM severity rating based on the following factors: (1) Attack Vector: Local (AV:L) — requires local system access; (2) Attack Complexity: Low (AC:L) — no special conditions needed once local access is gained; (3) Privileges Required: Low (PR:L) — standard user privileges are sufficient; (4) User Interaction: None (UI:N) — automatic upon code path execution; (5) Availability Impact: High (A:H) — kernel crash causes denial of service; (6) No impact to Confidentiality (C:N) or Integrity (I:N). The score appropriately reflects a availability-only DoS vulnerability with practical exploitation constraints.

Frequently asked questions

Does this vulnerability affect my Linux system?

Only if your system has OCRDMA (RDMA over Converged Ethernet) drivers compiled into or loaded as modules in the kernel, and you are running a vulnerable kernel version. Most consumer and enterprise systems without specific RDMA hardware or HPC configurations are unaffected. Check your kernel configuration and loaded modules to determine exposure.

Can this be exploited remotely?

No. CVE-2026-46127 requires local access to the system and user-level privileges. Remote exploitation is not possible. The threat model is limited to local users or authenticated accounts with access to RDMA operations.

What happens when this vulnerability is triggered?

The kernel crashes due to a null pointer dereference in the OCRDMA driver, resulting in a kernel panic and system restart. This causes denial of service but does not compromise data confidentiality or enable unauthorized access. Users and applications will experience an unexpected system shutdown.

Is there a workaround if I can't patch immediately?

The most effective mitigation is to disable OCRDMA drivers if your environment does not actively require RDMA networking. This eliminates the attack surface. Otherwise, restrict local access to the system and apply the patch at your earliest maintenance window. Kernel updates are the proper remediation.

This analysis is based on publicly available vulnerability data current as of the publication date. CVSS scores, patch versions, and vendor advisory details are derived from authoritative sources (NVD, vendor advisories, KEV catalog). Readers must verify patch availability and applicability within their specific Linux distribution and kernel version before applying updates. SEC.co does not assume liability for the accuracy or completeness of third-party vendor patch information. Organizations should conduct thorough testing in non-production environments before deploying kernel patches to production systems. This vulnerability analysis does not constitute legal advice or a guarantee of security. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities