External risk intelligence

Linux Kernel RDMA SRP Bound Sense Copy Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-53186

This vulnerability affects the Linux kernel RDMA/srp (SCSI RDMA Protocol) initiator module. This protocol operates within specialized InfiniBand or RoCE data center fabrics, typically restricted to back-end storage area networks. It is not designed for public internet exposure, nor would it be deployed as a public-facing service.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This security vulnerability impacts the Linux kernel's handling of remote direct memory access (RDMA) protocols, specifically within the SRP (SCSI RDMA Protocol). While the fix limits the amount of data copied, an improperly configured or malicious entity could cause memory faults by sending malformed responses. The primary concern is to confirm if this specific technology is in use within our environment.

  • Kernel issue affects data transfer protocols.
  • Impacts specialized storage fabric technologies.
  • Confirm relevance to our specialized infrastructure.

Attack Path

How an attacker could exploit the issue

An attacker could leverage a compromised or malicious storage device on a private network to trigger a vulnerability within the Linux kernel's RDMA/srp component. This could occur when the system attempts to process a response from the storage device, potentially leading to a crash or unauthorized memory access.

  • Vulnerable system logged into fabric.
  • Malicious storage device sends oversized response.
  • Kernel crash or memory corruption.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow a malicious or compromised storage target on a restricted network to cause a denial-of-service condition. When an initiator logs into a target, the target can send a response with a large data length that exceeds the actual received data. This could lead to a read fault when the system attempts to copy sense data, potentially crashing the affected service.

  • Kernel memory could be accessed.
  • Malicious storage target could trigger read faults.
  • Denial-of-service condition on the initiator.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Linux kernel's RDMA/srp module is affected, pointing towards infrastructure or platform teams managing InfiniBand/RoCE fabrics. The immediate first step is to inventory systems using this technology, assess their exposure and criticality, and identify the accountable owner before planning remediation.

  • Infrastructure or platform teams own the issue.
  • Verify affected systems and their reachability.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Linux kernel RDMA/srp component?

The SCSI RDMA Protocol (SRP) is a communication method that allows Linux systems to access storage devices over high-speed InfiniBand or RoCE data center fabrics. It acts as an initiator, connecting to storage targets to perform data operations. This component is part of the kernel's networking stack, specifically designed for specialized, high-performance back-end storage area networks rather than standard desktop or server applications.

How does CVE-2026-53186 cause a system memory error?

This vulnerability is an improper bounds check. When the kernel processes a response from a storage target, it fails to verify that the reported data length matches the actual bytes received. If a target provides an artificially large length, the kernel attempts to copy data from an invalid memory address. This triggers a read fault, which can crash the system. It is a logic error in how the initiator handles incoming storage response headers.

Do I need to be worried if I am not using InfiniBand storage?

No. The vulnerability specifically affects the ib_srp module. If your Linux environment does not utilize InfiniBand or RoCE fabrics for storage connectivity, this specific kernel code path is not triggered. The bug requires an active session between an initiator and a storage target on a fabric to occur; simply having the kernel module loaded without an active connection to an SRP target negates the trigger path.

Is my server exposed to this vulnerability?

Halo Surface Signal indicates this risk is very unlikely for most systems. Because SRP operates on specialized, internal data center fabrics, it is not designed to be exposed to the public internet. You should primarily investigate servers configured to act as SRP initiators within your private storage network infrastructure, as these are the systems where a compromised storage target could potentially impact kernel stability.

What should I do first to manage this CVE?

Start by identifying all systems in your environment that are configured to use RDMA/srp for storage connectivity. Consult with your platform or infrastructure teams to determine which servers act as initiators on your InfiniBand or RoCE fabrics. Once you have an inventory of these specific systems, evaluate the necessity of the connection and plan to apply vendor-provided kernel updates that include the fix for this memory handling flaw.

References