Описание
In the Linux kernel, the following vulnerability has been resolved: svcrdma: use rc_pageoff for memcpy byte offset svc_rdma_copy_inline_range added rc_curpage (page index) to the page base instead of the byte offset rc_pageoff. Use rc_pageoff so copies land within the current page. Found by ZeroPath (https://zeropath.com)
Отчет
This is an out-of-bounds write caused by using a page index (rc_curpage) as a byte offset in memcpy(). A remote NFS/RDMA client can trigger memory corruption or kernel crashes by sending specially crafted inline data. In the worst case, this breaks the memory safety assumptions of the RDMA receive path and may allow cross-object memory corruption. Although the issue is remotely triggerable, the attack vector is Adjacent (AV:A), since it requires access to an authorized NFS over RDMA fabric and cannot be exploited from the general Internet. This makes it a storage-network-level vulnerability rather than a public network exposure.
Меры по смягчению последствий
To mitigate this issue, prevent module rpcrdma from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Affected | ||
| Red Hat Enterprise Linux 10 | kernel | Fixed | RHSA-2026:2282 | 09.02.2026 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2026:2722 | 16.02.2026 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2026:2722 | 16.02.2026 |
| Red Hat Enterprise Linux 9.6 Extended Update Support | kernel | Fixed | RHSA-2026:4745 | 17.03.2026 |
Показывать по
Дополнительная информация
Статус:
7.1 High
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: svcrdma: use rc_pageoff for memcpy byte offset svc_rdma_copy_inline_range added rc_curpage (page index) to the page base instead of the byte offset rc_pageoff. Use rc_pageoff so copies land within the current page. Found by ZeroPath (https://zeropath.com)
In the Linux kernel, the following vulnerability has been resolved: svcrdma: use rc_pageoff for memcpy byte offset svc_rdma_copy_inline_range added rc_curpage (page index) to the page base instead of the byte offset rc_pageoff. Use rc_pageoff so copies land within the current page. Found by ZeroPath (https://zeropath.com)
In the Linux kernel, the following vulnerability has been resolved: s ...
In the Linux kernel, the following vulnerability has been resolved: svcrdma: use rc_pageoff for memcpy byte offset svc_rdma_copy_inline_range added rc_curpage (page index) to the page base instead of the byte offset rc_pageoff. Use rc_pageoff so copies land within the current page. Found by ZeroPath (https://zeropath.com)
7.1 High
CVSS3