Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux Distros Unpatched Vulnerability : CVE-2026-52995

🗓️ 25 Jun 2026 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 3 Views

Linux unpatched CVE-2026-52995 allows user reads of kernel RDS info via uninitialized stack during getsockopt.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2026-52995
24 Jun 202616:29
attackerkb
CVE		CVE-2026-52995
24 Jun 202616:29
cve
Cvelist		CVE-2026-52995 net/rds: zero per-item info buffer before handing it to visitors
24 Jun 202616:29
cvelist
Debian CVE		CVE-2026-52995
24 Jun 202616:29
debiancve
EUVD		EUVD-2026-38863
24 Jun 202618:32
euvd
NVD		CVE-2026-52995
24 Jun 202617:17
nvd
OSV		DEBIAN-CVE-2026-52995
24 Jun 202620:48
osv
OSV		ECHO-A73F-7470-B824
25 Jun 202609:55
osv
OSV		UBUNTU-CVE-2026-52995
25 Jun 202600:00
osv
Positive Technologies		PT-2026-51889
24 Jun 202600:00
ptsecurity
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(322652);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/25");

  script_cve_id("CVE-2026-52995");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2026-52995");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - net/rds: zero per-item info buffer before handing it to visitors rds_for_each_conn_info() and
    rds_walk_conn_path_info() both hand a caller-allocated on-stack u64 buffer to a per-connection visitor and
    then copy the full item_len bytes back to user space via rds_info_copy() regardless of how much of the
    buffer the visitor actually wrote. rds_ib_conn_info_visitor() and rds6_ib_conn_info_visitor() only write a
    subset of their output struct when the underlying rds_connection is not in state RDS_CONN_UP (src/dst
    addr, tos, sl and the two GIDs via explicit memsets). Several u32 fields (max_send_wr, max_recv_wr,
    max_send_sge, rdma_mr_max, rdma_mr_size, cache_allocs) and the 2-byte alignment hole between sl and
    cache_allocs remain as whatever stack contents preceded the visitor call and are then memcpy_to_user()'d
    out to user space. struct rds_info_rdma_connection and struct rds6_info_rdma_connection are the only
    rds_info_* structs in include/uapi/linux/rds.h that are not marked __attribute__((packed)), so they have a
    real alignment hole. The other info visitors (rds_conn_info_visitor, rds6_conn_info_visitor,
    rds_tcp_tc_info, ...) write all fields of their packed output struct today and are not known to be
    vulnerable, but a future visitor that adds a conditional write-path would have the same bug. Reproduction
    on a kernel built without CONFIG_INIT_STACK_ALL_ZERO=y: a local unprivileged user opens AF_RDS, sets
    SO_RDS_TRANSPORT=IB, binds to a local address on an RDMA-capable netdev (rxe soft-RoCE on any netdev is
    sufficient), sendto()'s any peer on the same subnet (fails cleanly but installs an rds_connection in the
    global hash in RDS_CONN_CONNECTING), then calls getsockopt(SOL_RDS, RDS_INFO_IB_CONNECTIONS). The returned
    68-byte item contains 26 bytes of stack garbage including kernel text/data pointers: 0..7 0a 63 00 01 0a
    63 00 02 src=10.99.0.1 dst=10.99.0.2 8..39 00 ... gids (memset-zeroed) 40..47 e0 92 a3 81 ff ff ff ff
    kernel pointer (max_send_wr) 48..55 7f 37 b5 81 ff ff ff ff kernel pointer (rdma_mr_max) 56..59 01 00 08
    00 rdma_mr_size (garbage) 60..61 00 00 tos, sl 62..63 00 00 alignment padding 64..67 18 00 00 00
    cache_allocs (garbage) Fix by zeroing the per-item buffer in both rds_for_each_conn_info() and
    rds_walk_conn_path_info() before invoking the visitor. This covers the IPv4/IPv6 IB visitors and hardens
    all current and future visitors against the same class of bug. No functional change for visitors that
    fully populate their output. Changes in v2: - retarget at the net tree (subject prefix [PATCH net v2],
    net/rds: prefix in the title) - pick up Reviewed-by tags from Sharath Srinivasan and Allison Henderson
    (CVE-2026-52995)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-52995");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:U/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-52995");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/06/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/25");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Debian Linux-11", "Host/OS/Debian Linux-12");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Debian Linux-12": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "12",
        "pkgs": [
          {"reference": "btrfs-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "cdrom-core-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "ext4-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "fat-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "isofs-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "jfs-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "kernel-image-6.1.0-47-alpha-generic-di"},
          {"reference": "linux-doc"},
          {"reference": "linux-doc-6.1"},
          {"reference": "linux-headers-6.1.0"},
          {"reference": "linux-source"},
          {"reference": "linux-source-6.1"},
          {"reference": "linux-support-6.1.0"},
          {"reference": "loop-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "nic-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "nic-shared-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "nic-wireless-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "pata-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "ppp-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "scsi-core-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "scsi-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "scsi-nic-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "serial-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "usb-serial-modules-6.1.0-47-alpha-generic-di"},
          {"reference": "xfs-modules-6.1.0-47-alpha-generic-di"}
        ]
      }
    ]
  },
  "Debian Linux-11": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "11",
        "pkgs": [
          {"reference": "bpftool"},
          {"reference": "btrfs-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "cdrom-core-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "hyperv-daemons"},
          {"reference": "kernel-image-5.10.0-32-alpha-generic-di"},
          {"reference": "libcpupower-dev"},
          {"reference": "libcpupower1"},
          {"reference": "linux-bootwrapper-5.10.0"},
          {"reference": "linux-config-5.10"},
          {"reference": "linux-cpupower"},
          {"reference": "linux-doc"},
          {"reference": "linux-doc-5.10"},
          {"reference": "linux-headers-5.10.0"},
          {"reference": "linux-kbuild-5.10"},
          {"reference": "linux-libc-dev"},
          {"reference": "linux-perf"},
          {"reference": "linux-perf-5.10"},
          {"reference": "linux-source"},
          {"reference": "linux-source-5.10"},
          {"reference": "linux-support-5.10.0"},
          {"reference": "loop-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "nic-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "nic-shared-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "nic-wireless-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "pata-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "ppp-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "scsi-core-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "scsi-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "scsi-nic-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "serial-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "usb-serial-modules-5.10.0-32-alpha-generic-di"},
          {"reference": "usbip"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Jun 2026 00:00Current
6.1Medium risk
Vulners AI Score6.1
linux kerneluninitialized stackgetsockopt bugunpatched vulnerabilityinformation leak
3