Description
In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Fix double free in rxe_srq_from_init

In rxe_srq_from_init(), the queue pointer 'q' is assigned to
'srq->rq.queue' before copying the SRQ number to user space.
If copy_to_user() fails, the function calls rxe_queue_cleanup()
to free the queue, but leaves the now-invalid pointer in
'srq->rq.queue'.

The caller of rxe_srq_from_init() (rxe_create_srq) eventually
calls rxe_srq_cleanup() upon receiving the error, which triggers
a second rxe_queue_cleanup() on the same memory, leading to a
double free.

The call trace looks like this:
kmem_cache_free+0x.../0x...
rxe_queue_cleanup+0x1a/0x30 [rdma_rxe]
rxe_srq_cleanup+0x42/0x60 [rdma_rxe]
rxe_elem_release+0x31/0x70 [rdma_rxe]
rxe_create_srq+0x12b/0x1a0 [rdma_rxe]
ib_create_srq_user+0x9a/0x150 [ib_core]

Fix this by moving 'srq->rq.queue = q' after copy_to_user.
Published: 2026-05-27
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A double free occurs in the RDMA/rxe driver when creating a shared receive queue. The code assigns a queue pointer before copying SRQ data into user space; if the copy fails, the pointer is freed while still stored in the structure. During cleanup a second free of the same memory is attempted, corrupting kernel memory. While the CVE description does not explicitly state that arbitrary code execution is possible, the nature of the bug – a double free in kernel space – introduces the potential for privilege escalation or system instability if an attacker can trigger the crash or abuse the corrupted memory region.

Affected Systems

All Linux kernel builds that include the rdma_rxe driver are affected. No specific kernel version list is given in the advisory, so any release prior to the commit that introduced the fix is vulnerable.

Risk and Exploitability

The CVSS score is 7.8, indicating a moderate to high severity vulnerability. The EPSS score is less than 1%, suggesting a very low but non‑zero exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector requires local or privileged user access to RDMA functionality, as the bug is triggered during RDMA SRQ creation. No public exploits are reported, but kernel memory corruption could be leveraged by an attacker with sufficient privileges or by a local process that uses RDMA verbs, making risk substantial for systems that expose RDMA to untrusted users or services.

Generated by OpenCVE AI on May 30, 2026 at 12:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a revision that includes the rxe_srq_from_init fix commit
  • If a kernel update cannot be applied immediately, unload or disable the rdma_rxe kernel module to block the vulnerable path
  • Restrict RDMA device access by configuring udev rules or using capabilities to ensure that only trusted, privileged users can issue RDMA commands

Generated by OpenCVE AI on May 30, 2026 at 12:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Fri, 19 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
References

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 28 May 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix double free in rxe_srq_from_init In rxe_srq_from_init(), the queue pointer 'q' is assigned to 'srq->rq.queue' before copying the SRQ number to user space. If copy_to_user() fails, the function calls rxe_queue_cleanup() to free the queue, but leaves the now-invalid pointer in 'srq->rq.queue'. The caller of rxe_srq_from_init() (rxe_create_srq) eventually calls rxe_srq_cleanup() upon receiving the error, which triggers a second rxe_queue_cleanup() on the same memory, leading to a double free. The call trace looks like this: kmem_cache_free+0x.../0x... rxe_queue_cleanup+0x1a/0x30 [rdma_rxe] rxe_srq_cleanup+0x42/0x60 [rdma_rxe] rxe_elem_release+0x31/0x70 [rdma_rxe] rxe_create_srq+0x12b/0x1a0 [rdma_rxe] ib_create_srq_user+0x9a/0x150 [ib_core] Fix this by moving 'srq->rq.queue = q' after copy_to_user.
Title RDMA/rxe: Fix double free in rxe_srq_from_init
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-19T11:58:44.632Z

Reserved: 2026-05-13T15:03:33.079Z

Link: CVE-2026-45852

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:57.193

Modified: 2026-06-17T10:52:36.533

Link: CVE-2026-45852

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45852 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T12:30:23Z

Weaknesses