Description
In the Linux kernel, the following vulnerability has been resolved:

RDMA/irdma: Fix double free related to rereg_user_mr

If IB_MR_REREG_TRANS is set during rereg_user_mr, the
umem will be released and a new one will be allocated
in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans
fails after the new umem is allocated, it releases the umem,
but does not set iwmr->region to NULL. The problem is that
this failure is propagated to the user, who will then call
ibv_dereg_mr (as they should). Then, the dereg_mr path will
see a non-NULL umem and attempt to call ib_umem_release again.

Fix this by setting iwmr->region to NULL after ib_umem_release.

Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region")
Published: 2026-05-06
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

During re‑registration of an InfiniBand memory region when the IB_MR_REREG_TRANS flag is set, the kernel releases a user memory region but fails to clear its reference pointer. When the user subsequently deregisters the region, the kernel attempts to release the same memory region a second time, causing a double free. This flaw is a classic instance of CWE‑1341: Critical Offset Vulnerability and CWE‑415: Double Free, and can lead to kernel heap corruption or a kernel crash, resulting in a denial of service on the affected host.

Affected Systems

The issue resides in the Linux kernel’s irdma driver. Any kernel that bundles this driver before the inclusion of commit 5ac388db27c4 is potentially vulnerable. Since the kernel version is not specifically enumerated, all distributions shipping a kernel that lacks this commit are at risk.

Risk and Exploitability

The CVSS score is 7.8, which remains a medium severity vulnerability. The EPSS score is <1% and the issue is not listed in CISA KEV. Based on the description, it is inferred that the attack requires local RDMA operations and can be triggered by a user who can invoke the re‑registration path. While there is no documented exploitation beyond data corruption or a crash, the nature of the double free warrants timely correction.

Generated by OpenCVE AI on May 12, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes commit 5ac388db27c4 or later
  • Unload or disable the irdma kernel module to stop RDMA operations until the kernel is patched
  • Reboot the system after applying the patch so that all kernel memory structures are reinitialized

Generated by OpenCVE AI on May 12, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 07 May 2026 04:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1341
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix double free related to rereg_user_mr If IB_MR_REREG_TRANS is set during rereg_user_mr, the umem will be released and a new one will be allocated in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans fails after the new umem is allocated, it releases the umem, but does not set iwmr->region to NULL. The problem is that this failure is propagated to the user, who will then call ibv_dereg_mr (as they should). Then, the dereg_mr path will see a non-NULL umem and attempt to call ib_umem_release again. Fix this by setting iwmr->region to NULL after ib_umem_release. Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region")
Title RDMA/irdma: Fix double free related to rereg_user_mr
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:06:19.328Z

Reserved: 2026-05-01T14:12:55.987Z

Link: CVE-2026-43120

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T10:16:25.913

Modified: 2026-05-12T21:37:37.813

Link: CVE-2026-43120

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43120 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:30:05Z

Weaknesses