CVE-2026-43184 Overview
CVE-2026-43184 is a Linux kernel vulnerability in the rnbd-srv (Remote Network Block Device server) component. The flaw allows uninitialized memory contents to leak across the wire when the server constructs response messages. Before the fix, the server reused a response buffer without zeroing it, so stray bytes from previous kernel memory could be transmitted to the client. The issue is most observable when client and server negotiate different protocol versions, where unused fields in the response structure may be read by the peer. Maintainers resolved the issue by zeroing the response buffer completely before populating it.
Critical Impact
Uninitialized kernel memory may be transmitted from an rnbd-srv host to connected clients, enabling cross-version protocol information disclosure.
Affected Products
- Linux kernel builds that compile and load the rnbd-srv module
- Storage hosts exporting block devices over RDMA via RNBD
- Distributions tracking linux-stable prior to the listed fix commits
Discovery Timeline
- 2026-05-06 - CVE-2026-43184 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43184
Vulnerability Analysis
The RDMA Network Block Device server (rnbd-srv) responds to client requests by writing structured messages into a response buffer and shipping them back over an RDMA transport. The server allocated or reused this buffer without first clearing its contents. As a result, any field the server did not explicitly populate retained whatever bytes were previously resident in that memory region. When the client parsed the response, those stray bytes were interpreted as legitimate protocol fields. The patch enforces a full zeroing of the response buffer prior to use, which guarantees that unset fields default to zero and removes the cross-message data carryover.
Root Cause
The defect is an instance of uninitialized memory use in a kernel-to-client data path [CWE-908]. The response structure contains fields whose presence depends on the negotiated protocol version. When a server running a newer protocol responded to a client speaking an older version, fields the older client did not understand were left untouched but still serialized into the on-wire buffer.
Attack Vector
A client connected to a vulnerable rnbd-srv instance receives response messages whose unused regions contain fragments of kernel slab memory. Exploitation requires an established RNBD session, so the attacker must have network reachability and the credentials or configuration needed to attach to an exported device. The leaked content is non-deterministic and depends on prior kernel allocator activity.
No public proof-of-concept code or exploitation in the wild has been reported. See the upstream commits (30868a6, 69d2669, 7aac0a3, 8524752, b646e54, c94ede3, e2cacec, e427275) for the implemented fix.
Detection Methods for CVE-2026-43184
Indicators of Compromise
- Loaded rnbd_server kernel module on hosts exporting block storage over RDMA without the upstream fix applied
- RNBD client logs reporting unexpected or non-zero values in reserved or version-dependent response fields
- Mixed protocol versions between rnbd-srv and rnbd-clt peers in the same deployment
Detection Strategies
- Inventory hosts that load rnbd_server and compare running kernel versions against the patched stable releases referenced by the upstream commits
- Audit RDMA fabric participants to identify any system running rnbd-srv whose uname -r predates distribution backports of this fix
- Correlate dmesg and module load events with security telemetry to flag unpatched RNBD servers in production
Monitoring Recommendations
- Track kernel package versions across the fleet and alert on hosts that fall behind the vendor-supplied patched release
- Monitor RNBD session establishment for unusual client-server version mismatches that would maximize exposure of unset response fields
- Forward kernel and module telemetry to a centralized data lake to support retrospective hunts once patches are deployed
How to Mitigate CVE-2026-43184
Immediate Actions Required
- Apply the kernel update from your Linux distribution that incorporates the upstream rnbd-srv zeroing fix
- Restrict RNBD exports to trusted RDMA fabrics and authenticated peers until patching is complete
- Where RNBD is not in use, unload the rnbd_server module and blacklist it to remove the attack surface entirely
Patch Information
The fix zeros the response buffer before the server populates it, eliminating the cross-version data carryover. The change has been merged across multiple stable branches. Refer to the upstream commits listed under Attack Vector for the exact patch content and to determine which stable kernel series contain the backport.
Workarounds
- Unload rnbd_server with modprobe -r rnbd_server on hosts that do not require remote block export
- Limit RDMA reachability to the storage server using fabric-level access controls or network segmentation
- Align client and server protocol versions to reduce the size of unused response regions exposed during the window before patching
# Verify whether the rnbd-srv module is loaded and disable it if unused
lsmod | grep rnbd_server
modprobe -r rnbd_server
echo "blacklist rnbd_server" | sudo tee /etc/modprobe.d/blacklist-rnbd.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
