CVE-2024-40992 in Linux
Summary
by MITRE • 07/12/2024
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix responder length checking for UD request packets
According to the IBA specification: If a UD request packet is detected with an invalid length, the request shall be an invalid request and it shall be silently dropped by the responder. The responder then waits for a new request packet.
commit 689c5421bfe0 ("RDMA/rxe: Fix incorrect responder length checking") defers responder length check for UD QPs in function `copy_data`. But it introduces a regression issue for UD QPs.
When the packet size is too large to fit in the receive buffer. `copy_data` will return error code -EINVAL. Then `send_data_in` will return RESPST_ERR_MALFORMED_WQE. UD QP will transfer into ERROR state.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/07/2025
The vulnerability CVE-2024-40992 affects the Linux kernel's RDMA/rxe implementation and represents a critical flaw in the handling of Unreliable Datagram (UD) request packets within the Remote Direct Memory Access subsystem. This issue stems from improper responder length checking mechanisms that violate the InfiniBand Architecture (IBA) specification requirements for packet validation. The vulnerability specifically impacts UD Quality of Service (QoS) parameters and demonstrates a regression introduced by a previous fix attempt, creating a dangerous inconsistency in how the system processes malformed network traffic.
The technical flaw manifests in the `copy_data` function where responder length checking for UD QPs is incorrectly deferred, leading to improper error handling when packet sizes exceed buffer capacity. When a UD request packet exceeds the receive buffer limits, the `copy_data` function returns the error code -EINVAL, which subsequently propagates through the `send_data_in` function to return RESPST_ERR_MALFORMED_WQE. This cascade of error propagation causes the UD QP to transition into an ERROR state, effectively terminating the communication channel and potentially allowing denial-of-service conditions. The issue directly relates to CWE-129, which addresses improper validation of length parameters, and CWE-704, concerning incorrect function return values that can lead to system instability.
The operational impact of this vulnerability extends beyond simple packet rejection, as it creates a potential pathway for attackers to induce system instability through carefully crafted malformed packets. When UD QPs transition into ERROR state, they can no longer properly handle legitimate traffic, leading to service disruption and potential data loss in high-performance computing environments where RDMA is extensively utilized. The regression introduced by commit 689c5421bfe0 demonstrates the complexity of network protocol implementations and highlights how seemingly minor changes can introduce critical behavioral differences. This vulnerability affects systems running Linux kernels with RDMA/rxe support and particularly impacts data center environments, high-performance computing clusters, and enterprise networking infrastructure where RDMA communication is prevalent.
Mitigation strategies should focus on applying the patched kernel version that properly addresses the responder length checking logic while maintaining compliance with IBA specifications. System administrators must ensure all RDMA-enabled systems receive immediate updates, as the vulnerability can be exploited to cause service disruption without requiring elevated privileges. Network monitoring should be enhanced to detect abnormal QP state transitions, and defensive measures including rate limiting and packet filtering should be implemented at network boundaries. The fix should align with ATT&CK technique T1499.004, which covers network disruption through protocol manipulation, ensuring that the remediation addresses both the immediate vulnerability and prevents similar regression issues in future kernel modifications. Organizations should also conduct thorough testing of RDMA applications after applying patches to verify that legitimate traffic continues to flow properly through the corrected implementation.