CVE-2026-53371 in Linuxinfo

Summary

by MITRE • 07/19/2026

In the Linux kernel, the following vulnerability has been resolved:

RDMA/ionic: bound node_desc sysfs read with %.64s

node_desc[64] in struct ib_device is not guaranteed to be NUL-
terminated. The core IB sysfs handler uses "%.64s" for exactly this reason (drivers/infiniband/core/sysfs.c:1307), since node_desc_store() performs a raw memcpy of up to IB_DEVICE_NODE_DESC_MAX bytes with no NUL termination:

memcpy(desc.node_desc, buf, min_t(int, count, IB_DEVICE_NODE_DESC_MAX));

If exactly 64 bytes are written via the node_desc sysfs file, the array contains no NUL byte. The ionic hca_type_show() handler uses unbounded "%s" and will read past the end of node_desc into adjacent fields of struct ib_device until it encounters a NUL.

ionic supports IB_DEVICE_MODIFY_NODE_DESC, so this is triggerable by userspace.

Match the core handler and bound the format specifier.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/19/2026

This vulnerability exists in the Linux kernel's Infiniband subsystem where a buffer overflow condition can occur due to improper handling of string termination in the node description field. The issue specifically affects RDMA drivers, particularly those using the ionic HCA (Host Channel Adapter) implementation. The core problem stems from the fact that node_desc[64] within the struct ib_device structure is not guaranteed to be null-terminated, creating a potential security risk when sysfs interfaces are accessed. The Infiniband core subsystem already anticipates this issue by using "%.64s" format specifiers in its sysfs handler at drivers/infiniband/core/sysfs.c:1307, which explicitly accounts for the possibility of non-null-terminated strings during data copying operations.

The technical flaw manifests when userspace applications write exactly 64 bytes to the node_desc sysfs file, causing memcpy operation to populate the entire 64-byte array without appending a null terminator. This scenario creates a situation where subsequent string processing operations can read beyond the intended buffer boundaries. The ionic hca_type_show() handler employs unbounded "%s" format specifiers that will continue reading memory locations adjacent to node_desc until they encounter a null byte, potentially exposing sensitive data or causing system instability. This vulnerability directly maps to CWE-121 Stack-based Buffer Overflow and CWE-122 Heap-based Buffer Overflow categories, as the improper buffer handling leads to memory access violations.

The operational impact of this vulnerability is significant as it allows userspace processes with appropriate privileges to trigger a buffer overflow condition that could lead to information disclosure, system crashes, or potentially arbitrary code execution. Since the ionic driver supports IB_DEVICE_MODIFY_NODE_DESC capability, any authenticated user can exploit this weakness by writing data to the node_desc sysfs interface. The vulnerability represents a privilege escalation vector within the Infiniband subsystem and can be leveraged as part of broader attack chains targeting RDMA infrastructure. This aligns with ATT&CK technique T1068 for locally executed privilege escalation and T1210 for exploitation of remote code execution vulnerabilities in kernel modules.

The recommended mitigation involves modifying the ionic driver's hca_type_show() function to match the defensive approach used by the core Infiniband sysfs handler. This requires bounding the format specifier to ensure that exactly 64 characters are read from node_desc regardless of null termination status, effectively preventing the read past buffer boundaries issue. The fix should implement proper string length handling similar to how the core subsystem manages this scenario using %.64s format specifiers, ensuring that even when exactly 64 bytes are written without null termination, the reading operations remain bounded and safe. System administrators should also consider implementing monitoring for unusual node_desc modifications and ensure that RDMA subsystem access is properly restricted to authorized users only.

Responsible

Linux

Reservation

06/09/2026

Disclosure

07/19/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

medium

Sources

Do you need the next level of professionalism?

Upgrade your account now!