CVE-2026-31491 Overview
A vulnerability has been identified in the Linux kernel's RDMA/irdma driver where integer overflow and truncation can occur in depth calculation functions. When the operating system passes U32_MAX values for SQ (Send Queue), RQ (Receive Queue), or SRQ (Shared Receive Queue) sizes, the affected functions may return success when they should have failed, potentially leading to memory corruption or unexpected system behavior.
Critical Impact
Integer overflow in RDMA queue depth calculations can lead to memory corruption, system instability, and potential privilege escalation in systems utilizing Intel RDMA-capable network adapters.
Affected Products
- Linux Kernel (irdma driver)
- Systems using Intel RDMA-capable Ethernet adapters
- RDMA/InfiniBand deployments with affected kernel versions
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-31491 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-31491
Vulnerability Analysis
The vulnerability resides in the RDMA/irdma kernel driver, specifically within functions responsible for calculating queue depths for Send Queues (SQ), Receive Queues (RQ), and Shared Receive Queues (SRQ). When these functions receive U32_MAX (4,294,967,295) as input for queue size parameters, an integer overflow occurs during depth calculations.
The core issue stems from performing arithmetic operations on 32-bit unsigned integers without proper bounds checking. When the calculation results exceed the maximum representable value in a 32-bit integer, the value wraps around (truncates), causing the function to incorrectly report success for invalid configurations. This can result in undersized queue allocations that may be exploited through subsequent RDMA operations.
Root Cause
The root cause is insufficient input validation and the use of 32-bit integer arithmetic for queue depth calculations where 64-bit arithmetic is required. The depth calculation functions lacked proper boundary checking, allowing integer overflow conditions when processing maximally-sized input values. The fix hardens these functions to perform all depth calculations and boundary checking using u64 (64-bit unsigned integer) sizes, preventing overflow and ensuring accurate validation of queue size requests.
Attack Vector
An attacker with local access and the ability to interact with the RDMA subsystem could exploit this vulnerability by submitting RDMA queue creation requests with specially crafted size parameters (specifically U32_MAX values). This could lead to:
- Memory corruption due to undersized queue allocations
- Denial of service through kernel crashes or hangs
- Potential privilege escalation if corrupted memory regions can be controlled
The vulnerability requires local access to systems with Intel RDMA-capable network adapters and appropriate permissions to interact with the RDMA subsystem. While exploitation requires specific conditions, RDMA is commonly used in high-performance computing and data center environments where such access may be available.
Detection Methods for CVE-2026-31491
Indicators of Compromise
- Unexpected kernel panics or crashes related to the irdma driver
- Abnormal RDMA queue creation requests with unusually large size parameters
- Memory corruption signatures in kernel logs referencing irdma or RDMA subsystems
- System instability on hosts with Intel RDMA-capable network adapters
Detection Strategies
- Monitor kernel logs for irdma driver errors or warnings related to queue depth calculations
- Implement system call auditing for RDMA-related operations with boundary value parameters
- Deploy kernel integrity monitoring to detect signs of memory corruption
- Use SentinelOne Singularity Platform to detect anomalous kernel behavior patterns
Monitoring Recommendations
- Enable verbose logging for the irdma driver module during security investigations
- Configure alerting for kernel oops or panic events involving RDMA subsystems
- Monitor for unusual patterns in RDMA device access from non-privileged processes
- Implement baseline monitoring for RDMA queue creation frequencies and sizes
How to Mitigate CVE-2026-31491
Immediate Actions Required
- Apply the latest Linux kernel patches that include the hardened depth calculation functions
- If patching is not immediately possible, consider temporarily disabling the irdma driver on non-critical systems
- Review and restrict access to RDMA interfaces to authorized users and processes only
- Monitor affected systems for signs of exploitation until patches can be applied
Patch Information
The vulnerability has been addressed through kernel commits that harden the depth calculation functions to use 64-bit arithmetic. The following commits contain the fix:
Update to a kernel version that includes these commits to remediate the vulnerability.
Workarounds
- Restrict access to RDMA devices using Linux access controls and device cgroups
- Unload the irdma kernel module if RDMA functionality is not required: modprobe -r irdma
- Implement network segmentation to limit exposure of RDMA-capable systems
- Use SELinux or AppArmor policies to restrict processes that can interact with RDMA interfaces
# Configuration example
# Temporarily disable the irdma driver if RDMA is not required
sudo modprobe -r irdma
# Blacklist the module to prevent automatic loading
echo "blacklist irdma" | sudo tee /etc/modprobe.d/blacklist-irdma.conf
# Verify module is not loaded
lsmod | grep irdma
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
