CVE-2022-50736
Description
In the Linux kernel, the following vulnerability has been resolved:
RDMA/siw: Fix immediate work request flush to completion queue
Correctly set send queue element opcode during immediate work request flushing in post sendqueue operation, if the QP is in ERROR state. An undefined ocode value results in out-of-bounds access to an array for mapping the opcode between siw internal and RDMA core representation in work completion generation. It resulted in a KASAN BUG report of type 'global-out-of-bounds' during NFSoRDMA testing.
This patch further fixes a potential case of a malicious user which may write undefined values for completion queue elements status or opcode, if the CQ is memory mapped to user land. It avoids the same out-of-bounds access to arrays for status and opcode mapping as described above.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A flaw in Linux kernel's RDMA/siw driver causes out-of-bounds access via undefined opcode during work request flushing in QP ERROR state.
Vulnerability
In the Linux kernel's RDMA/siw driver, when an immediate work request is flushed while the Queue Pair (QP) is in ERROR state, the send queue element's opcode is not correctly set. This results in an undefined opcode value being used to index into an array that maps opcodes between the siw internal representation and the RDMA core representation for work completion generation. The out-of-bounds access was detected by KASAN as a 'global-out-of-bounds' bug during NFSoRDMA testing [1].
Exploitation
An unprivileged user can trigger this vulnerability by putting a QP into ERROR state and then issuing immediate work requests. Additionally, a malicious user with access to a memory-mapped completion queue (CQ) could write arbitrary values for status or opcode, similarly causing out-of-bounds access to the mapping arrays [2]. No special privileges are required beyond the ability to create and manipulate RDMA resources.
Impact
Successful exploitation could lead to memory corruption, information disclosure, or a system crash (denial of service). The out-of-bounds access may allow an attacker to read or write kernel memory beyond the intended arrays, potentially escalating privileges if combined with other techniques.
Mitigation
The vulnerability is fixed in Linux kernel stable releases. The fix was backported to multiple stable kernel branches as shown in the referenced commits [3]. Users should update their kernels to the latest patched versions. No workaround is available; the fix must be applied.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
675af03fdf35a6af043089d3ff8d8fbd3b6d6355d2eca68c1f3d26a8589dfbdf1da5df9daVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- git.kernel.org/stable/c/355d2eca68c10d713a42f68e62044b3d1c300471nvd
- git.kernel.org/stable/c/6af043089d3f1210776d19b6fdabea610d4c7699nvd
- git.kernel.org/stable/c/75af03fdf35acf15a3977f7115f6b8d10dff4bc7nvd
- git.kernel.org/stable/c/bdf1da5df9da680589a7f74448dd0a94dd3e1446nvd
- git.kernel.org/stable/c/f3d26a8589dfdeff328779b511f71fb90b10005envd
- git.kernel.org/stable/c/f8d8fbd3b6d6cc3f25790cca5cffe8ded512fef6nvd
News mentions
0No linked articles in our index yet.