CVE-2026-45852 - Vulnerability Details

- RDMA/rxe: Fix double free in rxe_srq_from_init

Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Fix double free in rxe_srq_from_init

In rxe_srq_from_init(), the queue pointer 'q' is assigned to
'srq->rq.queue' before copying the SRQ number to user space.
If copy_to_user() fails, the function calls rxe_queue_cleanup()
to free the queue, but leaves the now-invalid pointer in
'srq->rq.queue'.

The caller of rxe_srq_from_init() (rxe_create_srq) eventually
calls rxe_srq_cleanup() upon receiving the error, which triggers
a second rxe_queue_cleanup() on the same memory, leading to a
double free.

The call trace looks like this:
kmem_cache_free+0x.../0x...
rxe_queue_cleanup+0x1a/0x30 [rdma_rxe]
rxe_srq_cleanup+0x42/0x60 [rdma_rxe]
rxe_elem_release+0x31/0x70 [rdma_rxe]
rxe_create_srq+0x12b/0x1a0 [rdma_rxe]
ib_create_srq_user+0x9a/0x150 [ib_core]

Fix this by moving 'srq->rq.queue = q' after copy_to_user.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A double free occurs in the RDMA/rxe driver when creating a shared receive queue. The code assigns a queue pointer before copying SRQ data into user space; if the copy fails, the pointer is freed while still stored in the structure. During cleanup a second free of the same memory is attempted, corrupting kernel memory. While the CVE description does not explicitly state that arbitrary code execution is possible, the nature of the bug – a double free in kernel space – introduces the potential for privilege escalation or system instability if an attacker can trigger the crash or abuse the corrupted memory region.

Affected Systems

All Linux kernel builds that include the rdma_rxe driver are affected. No specific kernel version list is given in the advisory, so any release prior to the commit that introduced the fix is vulnerable.

Risk and Exploitability

The advisory does not provide a CVSS score or EPSS score, and the vulnerability is not listed in the CISA KEV catalog. The attack vector likely requires local or privileged user access to RDMA functionality, as the bug is triggered during RDMA SRQ creation. No public exploits are reported, but the kernel memory corruption could be leveraged by an attacker with sufficient privileges or by a local process that uses RDMA verbs. Risk is therefore significant for systems that expose RDMA to untrusted users or services, and is mitigated by applying the patch.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`aae0484e15f062ad2c2502e68e15dfb8b8f84608`	affected	< 22b8c23a3b92d023614bb00896fe364b2c1a31d3
`aae0484e15f062ad2c2502e68e15dfb8b8f84608`	affected	< af5956243018918130d52c9f671efdb40bab3366
`aae0484e15f062ad2c2502e68e15dfb8b8f84608`	affected	< d286f0d4e3ad3caf5f0e673cdad7bf89bf37d947
`aae0484e15f062ad2c2502e68e15dfb8b8f84608`	affected	< 26793db60925df1e88a29466813d586cbc190b8c
`aae0484e15f062ad2c2502e68e15dfb8b8f84608`	affected	< ce6f8e007682f378279d4cf83b240f12d52c723b
`aae0484e15f062ad2c2502e68e15dfb8b8f84608`	affected	< 5c07aef09a121a4cd622a71eb0753a9e135c84a8
`aae0484e15f062ad2c2502e68e15dfb8b8f84608`	affected	< 26a9cfe12f4ffdeaa136f252478986fa5f397ddc
`aae0484e15f062ad2c2502e68e15dfb8b8f84608`	affected	< 0beefd0e15d962f497aad750b2d5e9c3570b66d1
`350703fae672d4d649c3562c199eab5ec9dc7c79`	affected	—
`4.19.86`	affected	< 4.20

Linux

affected

Version	Status	Constraints
`4.20`	affected	—
`0`	unaffected	< 4.20
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[aae0484e15f062ad2c2502e68e15dfb8b8f84608,22b8c23a3b92d023614bb00896fe364b2c1a31d3)`	affected	code_commit	—
`[aae0484e15f062ad2c2502e68e15dfb8b8f84608,af5956243018918130d52c9f671efdb40bab3366)`	affected	code_commit	—
`[aae0484e15f062ad2c2502e68e15dfb8b8f84608,d286f0d4e3ad3caf5f0e673cdad7bf89bf37d947)`	affected	code_commit	—
`[aae0484e15f062ad2c2502e68e15dfb8b8f84608,26793db60925df1e88a29466813d586cbc190b8c)`	affected	code_commit	—
`[aae0484e15f062ad2c2502e68e15dfb8b8f84608,ce6f8e007682f378279d4cf83b240f12d52c723b)`	affected	code_commit	—
`[aae0484e15f062ad2c2502e68e15dfb8b8f84608,5c07aef09a121a4cd622a71eb0753a9e135c84a8)`	affected	code_commit	—
`[aae0484e15f062ad2c2502e68e15dfb8b8f84608,26a9cfe12f4ffdeaa136f252478986fa5f397ddc)`	affected	code_commit	—
`[aae0484e15f062ad2c2502e68e15dfb8b8f84608,0beefd0e15d962f497aad750b2d5e9c3570b66d1)`	affected	code_commit	—
`350703fae672d4d649c3562c199eab5ec9dc7c79`	affected	code_commit	—
`[4.19.86,4.20)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.20`	affected	semver	—
`[0,4.20)`	unaffected	semver	—
`[5.10.252,5.11.0)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a revision that includes the rxe_srq_from_init fix commit
If a kernel update cannot be applied immediately, unload or disable the rdma_rxe kernel module to block the vulnerable path
Restrict RDMA device access by configuring udev rules or using capabilities to ensure that only trusted, privileged users can issue RDMA commands

Generated by OpenCVE AI on May 27, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0beefd0e15d962f497aad750b2d5e9c3570b66d1
https://git.kernel.org/stable/c/22b8c23a3b92d023614bb00896fe364b2c1a31d3
https://git.kernel.org/stable/c/26793db60925df1e88a29466813d586cbc190b8c
https://git.kernel.org/stable/c/26a9cfe12f4ffdeaa136f252478986fa5f397ddc
https://git.kernel.org/stable/c/5c07aef09a121a4cd622a71eb0753a9e135c84a8
https://git.kernel.org/stable/c/af5956243018918130d52c9f671efdb40bab3366
https://git.kernel.org/stable/c/ce6f8e007682f378279d4cf83b240f12d52c723b
https://git.kernel.org/stable/c/d286f0d4e3ad3caf5f0e673cdad7bf89bf37d947

History

Wed, 27 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-415

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix double free in rxe_srq_from_init In rxe_srq_from_init(), the queue pointer 'q' is assigned to 'srq->rq.queue' before copying the SRQ number to user space. If copy_to_user() fails, the function calls rxe_queue_cleanup() to free the queue, but leaves the now-invalid pointer in 'srq->rq.queue'. The caller of rxe_srq_from_init() (rxe_create_srq) eventually calls rxe_srq_cleanup() upon receiving the error, which triggers a second rxe_queue_cleanup() on the same memory, leading to a double free. The call trace looks like this: kmem_cache_free+0x.../0x... rxe_queue_cleanup+0x1a/0x30 [rdma_rxe] rxe_srq_cleanup+0x42/0x60 [rdma_rxe] rxe_elem_release+0x31/0x70 [rdma_rxe] rxe_create_srq+0x12b/0x1a0 [rdma_rxe] ib_create_srq_user+0x9a/0x150 [ib_core] Fix this by moving 'srq->rq.queue = q' after copy_to_user.
Title		RDMA/rxe: Fix double free in rxe_srq_from_init
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0beefd0e15d962f497aad750b2d5e9c3570b66d1 https://git.kernel.org/stable/c/22b8c23a3b92d023614bb00896fe364b2c1a31d3 https://git.kernel.org/stable/c/26793db60925df1e88a29466813d586cbc190b8c https://git.kernel.org/stable/c/26a9cfe12f4ffdeaa136f252478986fa5f397ddc https://git.kernel.org/stable/c/5c07aef09a121a4cd622a71eb0753a9e135c84a8 https://git.kernel.org/stable/c/af5956243018918130d52c9f671efdb40bab3366 https://git.kernel.org/stable/c/ce6f8e007682f378279d4cf83b240f12d52c723b https://git.kernel.org/stable/c/d286f0d4e3ad3caf5f0e673cdad7bf89bf37d947

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:15:26.084Z

Updated: 2026-05-27T12:15:26.084Z

Reserved: 2026-05-13T15:03:33.079Z

Link: CVE-2026-45852

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:57.193

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45852

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T19:15:26Z

Weaknesses

CWE-415

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object