CVE-2026-46127 Overview
CVE-2026-46127 is a NULL pointer dereference vulnerability in the Linux kernel's RDMA/ocrdma driver. The flaw resides in the ocrdma_copy_pd_uresp() function, where the pd->uctx pointer is referenced in error-handling paths before it is initialized. When an error condition triggers these paths, the kernel dereferences a NULL pointer and crashes.
The issue affects systems using the Emulex OneConnect RDMA (ocrdma) driver for InfiniBand and RoCE workloads. Exploitation requires triggering an error during protection domain (PD) user-response copy operations, which can lead to a kernel panic and denial of service [CWE-476].
Critical Impact
Triggering the error path in ocrdma_copy_pd_uresp() causes a kernel NULL pointer dereference, resulting in a system crash and denial of service for affected hosts.
Affected Products
- Linux kernel builds containing the drivers/infiniband/hw/ocrdma RDMA driver
- Systems using Emulex OneConnect adapters with RDMA/RoCE enabled
- Distributions shipping unpatched stable kernel branches prior to the fix commits
Discovery Timeline
- 2026-05-28 - CVE-2026-46127 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46127
Vulnerability Analysis
The ocrdma_copy_pd_uresp() function in the ocrdma driver constructs a user-space response describing a newly allocated protection domain. The function builds the response structure and copies it to the calling user context. Error-handling branches in this function reference pd->uctx to perform cleanup actions.
The problem is ordering. The pd->uctx field is not assigned until later in the function body. Any error that triggers before that assignment leaves pd->uctx as NULL. Cleanup code then dereferences this NULL pointer and crashes the kernel.
The upstream fix replaces references to pd->uctx in the error paths with the local uctx variable, which is valid throughout the function. This eliminates the NULL dereference without changing the cleanup logic.
Root Cause
The root cause is a use-before-initialization bug in error handling. Developers wrote cleanup code that assumed pd->uctx was populated, but the assignment to that field occurs only on the success path near the end of the function. Compilers and static analyzers did not flag the issue because the pointer is reachable through a valid object reference.
Attack Vector
The attack vector is local. A user with permission to open an ocrdma device file and issue RDMA verbs can request a protection domain allocation. Triggering an error during the user-response copy step, such as by providing crafted parameters or exhausting kernel resources, forces execution into the vulnerable error branch. The resulting kernel crash denies service to all workloads on the host. The vulnerability has not been reported as exploited in the wild and is not listed in the CISA KEV catalog.
No public proof-of-concept code is available. Technical details are documented in the upstream patch commits referenced below.
Detection Methods for CVE-2026-46127
Indicators of Compromise
- Kernel oops or panic messages referencing ocrdma_copy_pd_uresp in the call stack
- BUG: unable to handle kernel NULL pointer dereference entries in dmesg or /var/log/kern.log tied to RDMA operations
- Unexpected reboots on hosts running RDMA workloads with Emulex OneConnect adapters
Detection Strategies
- Inventory kernel versions across Linux hosts and flag systems running the ocrdma driver without the fix commits applied
- Monitor kernel crash dumps and kdump artifacts for stack traces involving ocrdma_copy_pd_uresp() or surrounding ocrdma functions
- Audit RDMA verb usage by non-root users on hosts that expose /dev/infiniband/uverbs* device nodes
Monitoring Recommendations
- Forward kernel logs to a centralized log platform and alert on NULL pointer dereference events linked to RDMA modules
- Track repeated process terminations or daemon restarts on RDMA-enabled servers that correlate with kernel faults
- Review system uptime metrics for unexpected reboots on hosts handling InfiniBand or RoCE traffic
How to Mitigate CVE-2026-46127
Immediate Actions Required
- Apply the upstream kernel patches that replace pd->uctx references with the local uctx variable in ocrdma_copy_pd_uresp()
- Update to a stable Linux kernel release that contains the fix commits and reboot affected hosts
- Restrict access to /dev/infiniband/uverbs* device files to trusted users and service accounts only
Patch Information
The vulnerability is resolved across multiple stable branches. Refer to the upstream commits for the exact code change:
- Kernel Git Commit 34fbf48
- Kernel Git Commit 75fc130
- Kernel Git Commit 8832626
- Kernel Git Commit e01a957
- Kernel Git Commit ec44c00
Apply the vendor-supplied kernel update from your Linux distribution once it incorporates these commits.
Workarounds
- Unload the ocrdma kernel module on hosts that do not require RDMA over Emulex OneConnect adapters using modprobe -r ocrdma
- Blacklist the ocrdma module in /etc/modprobe.d/ to prevent automatic loading until a patched kernel is deployed
- Limit local user access on systems that must keep ocrdma enabled, since the vulnerability requires local interaction with RDMA device nodes
# Blacklist the ocrdma module until a patched kernel is installed
echo 'blacklist ocrdma' | sudo tee /etc/modprobe.d/blacklist-ocrdma.conf
sudo modprobe -r ocrdma
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
