HIGH
rdma/siw RxFpdu Deref
CVE-2026-23242
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix potential NULL pointer dereference in header processing If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(), qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data() dereferences qp->rx_fpdu->more_ddp_segs without checking, which may lead to a NULL pointer deref. Only check more_ddp_segs when rx_fpdu is present. KASAN splat: [ 101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] [ 101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50
02KernelScan AI Analysis
Risk summary
Local users with RDMA access can trigger a kernel NULL pointer dereference in the siw (Soft iWarp) driver, causing system crashes. This affects systems using RDMA over Ethernet with the software iWarp implementation.
Vulnerability analysis
The vulnerability occurs in siw_tcp_rx_data() when siw_get_hdr() returns -EINVAL before set_rx_fpdu_context() is called, leaving qp->rx_fpdu as NULL. The error handling path unconditionally dereferences qp->rx_fpdu->more_ddp_segs without checking if rx_fpdu is NULL first. The fix adds a NULL check before accessing the more_ddp_segs field, preventing the crash. This is reachable through RDMA operations that can trigger malformed header processing, requiring local access and RDMA privileges.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.252 | ab61841633d1 |
| 5.15 | 5.15.202 | 8564dcc12fbb |
| 6.1 | 6.1.165 | ab957056192d |
| 6.12 | 6.12.75 | 87b7a036d2c7 |
| 6.18 | 6.18.14 | 714c99e1dc8f |
| 6.19 | 6.19.4 | ce025f7f5d07 |
| 6.6 | 6.6.128 | ffba40b67663 |
| mainline | 7.0 | 14ab3da122bd |