CVE-2026-52939: 
Linux Kernel Analyse et atténuation des vulnérabilités

CVE-2026-52939 is a NULL pointer dereference vulnerability in the Linux kernel's RDS (Reliable Datagram Sockets) over InfiniBand implementation, specifically in the rds_ib_send_cqe_handler() function when processing masked atomic completion operations. The flaw has been present since Linux kernel 2.6.37 and affects multiple stable branches up to (but not including) fixed versions: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, and 7.0.13. It was published on June 24, 2026, with patches available the same day. The CVSS category is estimated as Medium (GitHub Advisory, Feedly).

The root cause is a missing case in the completion-side switch statement within rds_ib_send_unmap_op() (CWE: NULL Pointer Dereference). The transmit path in rds_ib_xmit_atomic() always programs masked atomic opcodes (IB_WR_MASKED_ATOMIC_CMP_AND_SWP or IB_WR_MASKED_ATOMIC_FETCH_AND_ADD), but the completion handler only handles the corresponding non-masked opcodes. When a masked atomic completion arrives, the switch falls through to default, returning rm == NULL while send->s_op remains set. rds_ib_send_cqe_handler() then dereferences the NULL rm pointer via rm->m_final_op, triggering a general protection fault and kernel panic in softirq context. The fix is to handle masked atomic opcodes in the same switch case as non-masked ones, since both map to the same struct rds_message.atomic union member (GitHub Advisory).

Successful exploitation causes a kernel panic (system crash) in softirq context, resulting in a complete denial of service to the affected system. Any unprivileged local user with access to an AF_RDS socket over an active RDS/IB connection can trigger the crash; on hardware that natively supports masked atomics (e.g., Mellanox mlx4, mlx5 adapters), no special setup is required beyond sending a crafted atomic cmsg. There is no evidence of confidentiality or integrity impact — the vulnerability is limited to availability (GitHub Advisory, Feedly).

1. Identify target: Locate a Linux system running a vulnerable kernel version (2.6.37 through the unpatched stable branches) with RDS over InfiniBand enabled and an active RDS/IB connection, using hardware such as Mellanox mlx4 or mlx5 adapters.
2. Gain local access: Obtain unprivileged local user access to the target system (no root or special privileges required).
3. Open AF_RDS socket: Create an AF_RDS socket using socket(AF_RDS, SOCK_SEQPACKET, 0) and connect it to an active RDS/IB peer.
4. Send malicious atomic cmsg: Issue a sendmsg() call with an atomic control message (cmsg) that causes rds_ib_xmit_atomic() to program a masked atomic opcode (IB_WR_MASKED_ATOMIC_CMP_AND_SWP or IB_WR_MASKED_ATOMIC_FETCH_AND_ADD) into the work request.
5. Trigger kernel panic: When the masked atomic completion is processed by rds_ib_send_cqe_handler(), the unhandled opcode causes rm to be NULL, and the subsequent dereference of rm->m_final_op triggers a general protection fault and kernel panic, crashing the system (GitHub Advisory).

• Logs: Kernel log messages containing RDS/IB: rds_ib_send_unmap_op: unexpected opcode 0xd in WR! followed by Oops: general protection fault and KASAN: null-ptr-deref in range [0x0000000000000190-0x0000000000000197].
• Logs: Kernel panic messages referencing rds_ib_send_cqe_handler+0x25c/0xb10 (net/rds/ib_send.c:282) in the call trace.
• Logs: Call trace entries including poll_scq, rds_ib_tasklet_fn_send, tasklet_action_common, handle_softirqs, and run_ksoftirqd in the crash dump.
• System: Unexpected system reboots or crashes on hosts with InfiniBand adapters (mlx4/mlx5) and RDS enabled, particularly following AF_RDS socket activity from unprivileged users (GitHub Advisory).

Apply the available kernel patches for the respective stable branches: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1+. The fix adds proper handling for masked atomic opcodes (IB_WR_MASKED_ATOMIC_CMP_AND_SWP and IB_WR_MASKED_ATOMIC_FETCH_AND_ADD) in the rds_ib_send_unmap_op() switch statement. As a temporary workaround if patching is delayed, restrict AF_RDS socket creation to trusted users only (e.g., via network namespace restrictions or removing the rds kernel module if RDS is not required) (GitHub Advisory, Feedly).

The vulnerability received routine automated coverage from CVE tracking services and aggregators shortly after disclosure on June 24, 2026. Social media activity was limited to automated CVE notification accounts on Bluesky and Nitter/Twitter. No notable researcher commentary, vendor statements beyond the kernel patch, or significant media coverage has been identified (Feedly).