Description
In the Linux kernel, the following vulnerability has been resolved:

RDMA/efa: Fix use of completion ctx after free

On admin queue completion handling, if the admin command completed with
error we print data from the completion context. The issue is that we
already freed the completion context in polling/interrupts handler which
means we print data from context in an unknown state (it might be
already used again).
Change the admin submission flow so alloc/dealloc of the context will be
symmetric and dealloc will be called after any potential use of the
context.
Published: 2026-04-22
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential information disclosure
Action: Patch
AI Analysis

Impact

This vulnerability is a use‑after‑free bug (CWE‑416) in the RDMA over Ethernet Fabrics (EFA) subsystem of the Linux kernel. When an admin command fails, the completion handler accesses and prints data from a completion context that has already been freed in the polling or interrupt, causing the kernel to read from an undefined memory region. The effect is to expose data that may have resided in the context to log output or error messages, potentially revealing sensitive information (CWE‑825). The flaw does not directly alter program state or crash the kernel; its impact is limited to confidentiality leakage via log leakage.

Affected Systems

All Linux kernel builds that include the RDMA/EFA driver and do not contain the commit that fixes the bug are vulnerable. The issue affects kernels up through the 7.0 release candidates (rc1 through rc7) as well as older releases such as 5.12. Kernel versions in 7.0 RC8 and later, as well as stable releases after 7.0 incorporating the patch, are considered fixed.

Risk and Exploitability

The EPSS score is below 1 % and the vulnerability is not listed in CISA’s KEV catalog, indicating a very low probability of exploitation. The bug appears to require local privileged execution to trigger the problematic error path in the RDMA/EFA module, making it unlikely to be leveraged remotely. Because the flaw only exposes data when the driver writes it to logs, an attacker would need to analyze those logs locally, further reducing the practical risk. The CVSS score of 7.8 reflects the high confidentiality impact, but overall risk remains moderate given the limited exploitation surface.

Generated by OpenCVE AI on April 29, 2026 at 02:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the patch associated with commit 0dd98aea1c0c45987fa2dd92f988b0eb1a72c125 (or a later stable kernel version).
  • If an immediate kernel upgrade is not possible, unload the RDMA/EFA module with `modprobe -r rdma_efa` to prevent the vulnerable code path from executing.
  • Regularly review kernel logs such as `dmesg` or `/var/log/kern.log` for anomalous completion messages that could indicate residual use of freed context data.

Generated by OpenCVE AI on April 29, 2026 at 02:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:5.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 27 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: RDMA/efa: Fix use of completion ctx after free On admin queue completion handling, if the admin command completed with error we print data from the completion context. The issue is that we already freed the completion context in polling/interrupts handler which means we print data from context in an unknown state (it might be already used again). Change the admin submission flow so alloc/dealloc of the context will be symmetric and dealloc will be called after any potential use of the context.
Title RDMA/efa: Fix use of completion ctx after free
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:09:47.997Z

Reserved: 2026-03-09T15:48:24.102Z

Link: CVE-2026-31493

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:47.170

Modified: 2026-04-28T14:45:56.410

Link: CVE-2026-31493

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31493 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T03:00:12Z

Weaknesses