CVE-2026-53355 Overview
CVE-2026-53355 is a Linux kernel vulnerability in the Reliable Datagram Sockets (RDS) InfiniBand (IB) transport. The flaw exists in the connection setup unwind path within rds_ib_setup_qp(). When queue pair setup fails after allocating i_sends but before allocating i_recvs, the error path frees i_sends without clearing the pointer. A subsequent shutdown pass treats the stale pointer as a live allocation, resulting in a use-after-free condition on kernel memory.
Critical Impact
The vulnerability can cause kernel memory corruption during repeated RDS IB connection shutdown attempts following a failed setup, potentially leading to denial of service or memory safety violations.
Affected Products
- Linux kernel (upstream) — RDS IB transport component
- Multiple stable kernel branches referenced in the fix commits
- Systems using RDS over InfiniBand networking
Discovery Timeline
- 2026-07-01 - CVE-2026-53355 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-53355
Vulnerability Analysis
The defect resides in the RDS IB connection teardown logic, which is intentionally designed to run during partial startup and on repeated shutdown attempts. The teardown code relies on NULL pointer checks to distinguish resources that are still owned from resources that have been released.
The error unwind path in rds_ib_setup_qp() violates this invariant. When setup fails after i_sends allocation but before i_recvs allocation, the code calls vfree() on i_sends without setting the pointer to NULL. A later shutdown pass reads the stale pointer and treats it as a live send ring, operating on freed memory. This is a Use-After-Free condition [CWE-416] in kernel space.
Root Cause
The root cause is inconsistent ownership state tracking in the setup error path. The teardown logic contract requires released resources to be nulled, but the sends_out error label in the setup routine only frees the buffer without clearing the pointer. This breaks the ownership model the shutdown path depends on.
Attack Vector
Triggering the vulnerability requires inducing a failure in rds_ib_setup_qp() after i_sends allocation succeeds but before i_recvs allocation completes. An attacker or fault condition that causes repeated connection setup and teardown cycles on the RDS IB transport can reach the stale pointer dereference during a follow-on shutdown.
See the upstream kernel commits for technical details on the affected code paths, including commit 1d4ec754ee38 and commit 20cf0fb715c4.
Detection Methods for CVE-2026-53355
Indicators of Compromise
- Kernel oops or panic messages referencing rds_ib_setup_qp, i_sends, or vfree during RDS IB connection teardown.
- KASAN reports flagging use-after-free reads on RDS IB send ring memory.
- Repeated RDS connection failures followed by kernel warnings on hosts using InfiniBand transport.
Detection Strategies
- Enable Kernel Address Sanitizer (KASAN) on test kernels to surface the use-after-free path deterministically.
- Audit installed kernel versions against the fixed commits listed on kernel.org stable trees.
- Monitor dmesg and journalctl -k for stack traces originating from the net/rds/ib* code paths.
Monitoring Recommendations
- Collect kernel crash dumps and forward them to a centralized log store for correlation across fleet hosts.
- Track RDS module load events and connection error counters on hosts running RDMA workloads.
- Alert on unexpected reboots or kernel taints on systems using the rds_rdma and rds_ib modules.
How to Mitigate CVE-2026-53355
Immediate Actions Required
- Apply the upstream kernel patches referenced by the stable tree commits for the RDS IB fix.
- Inventory hosts that load the rds and rds_rdma kernel modules and prioritize them for patching.
- If patching is not immediately feasible, restrict use of RDS over InfiniBand on affected systems.
Patch Information
The fix clears i_sends after vfree() in the error unwind path so the existing shutdown logic observes the correct ownership state. The patch has been merged upstream and backported across multiple stable trees. Reference commits include 1d4ec754ee38, 20cf0fb715c4, 27040bbca289, 29d940026dce, 2c5e5e4a5970, 66cccec11142, e7cf30aa5f1f, and f16ad421a4e3 on git.kernel.org.
Workarounds
- Blacklist the rds and rds_rdma modules on hosts that do not require RDS IB transport.
- Prevent module autoload by adding install rds /bin/true to a modprobe configuration file.
- Limit local user access on affected systems to reduce the ability to trigger repeated RDS connection attempts.
# Configuration example: disable RDS modules on hosts that do not need them
echo 'install rds /bin/true' | sudo tee /etc/modprobe.d/disable-rds.conf
echo 'install rds_rdma /bin/true' | sudo tee -a /etc/modprobe.d/disable-rds.conf
sudo depmod -a
# Verify the modules are not currently loaded
lsmod | grep -E 'rds|rds_rdma'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

