HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-53186Published Modified CNA Linux

CVE-2026-53186: RDMA/srp: bound SRP_RSP sense copy by the received length

In the Linux kernel, the following vulnerability has been resolved: RDMA/srp: bound SRP_RSP sense copy by the received length srp_process_rsp() copies sense data from rsp->data + resp_data_len, where resp_data_len is the full 32-bit value supplied by the SRP target and is never checked against the number of bytes actually received (wc->byte_len). The copy length is bounded to SCSI_SENSE_BUFFERSIZE, so at most 96 bytes are copied, but the source offset is not bounded. A malicious or compromised SRP target on the InfiniBand/RoCE fabric that the initiator has logged into can return an SRP_RSP with SRP_RSP_FLAG_SNSVALID set and a large resp_data_len. The receive buffer is allocated at the target-chosen max_ti_iu_len, so the source of the sense copy lands past the bytes actually received; with resp_data_len near 0xFFFFFFFF it is gigabytes past the buffer and the read faults. Copy the sense data only if it has not been truncated, that is, only if the response header, the response data, and the sense region fit within the bytes actually received; otherwise drop the sense and log. The in-tree iSER and NVMe-RDMA receive paths already bound their parse by wc->byte_len; this brings ib_srp into line with them.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds read vulnerability exists in the Linux kernel's RDMA/srp (Remote Direct Memory Access / SCSI RDMA Protocol) subsystem, specifically in the srp_process_rsp() function. The flaw is reachable over the network from a malicious or compromised SRP target on the InfiniBand or RoCE fabric, with no authentication required from the attacker. Successful exploitation allows the attacker to read memory contents beyond the receive buffer and crash the initiator host, enabling both sensitive data disclosure and denial of service. Patched-image rebuilds at the fix commits are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-53186 is available across every HarborGuard environment; the CVE is ingested from upstream NVD and Linux kernel security feeds within minutes of publication and matched against all customer images, including custom-built images that bundle an affected Linux kernel version. HarborGuard's image scanner inspects kernel package metadata and build provenance to identify affected layers regardless of base image origin.

Available
Triage

Triage is available using the CVSS v3.1 score of 9.1 (Critical), with per-environment compliance policy weighting applied to prioritize findings in workloads exposed to untrusted RDMA fabrics. Routed findings are delivered to the inbox configured for each customer organization based on their team and severity routing rules.

Available
Patch

A patched-image rebuild pinned to the fix commits is available on HarborGuard for any scanned image found to carry an affected kernel version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs regression tests, and opens a pull request against affected workloads automatically; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must control or compromise an SRP target reachable over the InfiniBand or RoCE fabric that the initiator has logged into, making over-the-network access a prerequisite.

  • AuthenticationNot required

    No authentication credential is required on the attacking target side; any SRP target the initiator has already connected to can send a crafted SRP_RSP response.

  • Victim interactionNot required

    No user or administrator action is needed; the vulnerable code path executes automatically when the initiator processes a response from the fabric.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable once the attacker controls a reachable SRP target; no race conditions or special memory layout requirements must be met.

Blast Radius

  • The attacker causes the initiator kernel to read memory gigabytes past the allocated receive buffer, potentially exposing kernel heap contents such as cryptographic material, session tokens, or other in-flight data structures.
  • A resp_data_len value near 0xFFFFFFFF triggers a page fault in kernel context, crashing the affected host or causing an unrecoverable kernel oops that takes down all workloads on the node.
  • Because the crash occurs in kernel space during RDMA response processing, all containers and processes sharing the host are terminated along with the node.

How HarborGuard Handles This

Available on HarborGuard: detection fires the moment the CVE is published, matching every image in connected registries and CI pipelines against the affected Linux kernel version range. Where compliance policy permits, a patched-image rebuild is generated automatically, a regression-test run is executed, and a pull request is opened against affected workloads; for critical-severity issues the median time from publication to merged PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with the fix commit references so engineering teams can manually trigger a rebuild. As a compensating control while a patched image is being prepared, teams can apply network policy to restrict RDMA fabric access to explicitly trusted SRP targets, reducing the set of peers that can deliver a crafted SRP_RSP to the initiator.

See how HarborGuard automates this

Fix available

00b9ee09d5e849591f17d98c078033dadea9672930d64bc200ebe4f275b27438c6e593903e0b16fe113e91fd076306f5d0cdfa14f53d69e37274723c42015038195939eac54a1ee83c9d98ef1a8ccbbce3523e53ff95f1837ec3f57ff7558532bcb2661b73889517c2ec7f364914aea8209abfff735f7ecde5.10.2595.15.2106.1.1766.6.1436.12.946.18.367.0.137.1ed77cc819ad631264787cade5ae5ec4c535ec6bbf92a285db7ff6e598591ccbfb551be155c5f4d57
Affected packages
  • Linux / Linux
    < 3889517c2ec7f364914aea8209abfff735f7ecde (from aef9ec39c47f0cece886ddd6b53c440321e0b2a6) · < ed77cc819ad631264787cade5ae5ec4c535ec6bb (from aef9ec39c47f0cece886ddd6b53c440321e0b2a6) · < 0b9ee09d5e849591f17d98c078033dadea967293 (from aef9ec39c47f0cece886ddd6b53c440321e0b2a6) · < 0d64bc200ebe4f275b27438c6e593903e0b16fe1 (from aef9ec39c47f0cece886ddd6b53c440321e0b2a6) · < 2015038195939eac54a1ee83c9d98ef1a8ccbbce (from aef9ec39c47f0cece886ddd6b53c440321e0b2a6) · < f92a285db7ff6e598591ccbfb551be155c5f4d57 (from aef9ec39c47f0cece886ddd6b53c440321e0b2a6)
  • Linux / Linux
    2.6.15
    Fixed in 0, 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, 7.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
References