Description
In the Linux kernel, the following vulnerability has been resolved:

RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()

Sashiko points out that the user can specify WQs sharing the same CQ as a
part of the uAPI and this will trigger the WARN_ON() then go on to corrupt
the kernel.

Just reject it outright and fail the QP creation.
Published: 2026-05-28
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the RDMA mana driver of the Linux kernel, specifically in the mana_ib_create_qp_rss() routine. When a user supplies work queues that share a completion queue via the user‑level API, a WARN_ON() assertion is triggered. Instead of rejecting the request, the code continues execution and subsequently corrupts kernel memory. This results in kernel instability, leading to crashes or a denial‑of‑service condition. The defect is an instance of improper input validation (CWE‑1288).

Affected Systems

The affected systems are all Linux kernel builds that include the unpatched mana RDMA driver. Because no specific version range is provided, any kernel version containing the vulnerable mana_ib_create_qp_rss() function is potentially impacted until the patch is applied. All supported distributions are likely affected if their kernel package remains upstream with the vulnerability.

Risk and Exploitability

The CVSS base score of 7.8 indicates a medium‑to‑high severity vulnerability. The EPSS score of less than 1% and absence from the CISA KEV catalogue suggest a low probability of exploitation in the wild. Based on the description, it is inferred that an attacker would need the ability to interact with the RDMA user API, supplying crafted work queue identifiers that share a completion queue. This privilege is typically limited to processes with RDMA access or elevated privileges, meaning the attack vector is most likely local or requires an already compromised RDMA service. While exploitation could lead to kernel corruption and subsequent denial of service, the practical exploitation window appears constrained by the low EPSS.

Generated by OpenCVE AI on May 30, 2026 at 13:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the patch which rejects invalid QP creation requests and prevents the WARN_ON guard from being bypassed.
  • If an upgrade is not immediately feasible, unload or disable the RDMA mana driver (e.g., modprobe -r mana) to prevent use of the vulnerable routine.
  • As a temporary measure, configure kernel logging or an audit rule to detect WARN_ON triggers associated with mana_ib_create_qp_rss() and block subsequent RDMA QP creation attempts that involve multiple work queues sharing the same completion queue.

Generated by OpenCVE AI on May 30, 2026 at 13:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 29 May 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
CWE-416

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1288
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Thu, 28 May 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
CWE-416

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel. Just reject it outright and fail the QP creation.
Title RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:55:40.907Z

Reserved: 2026-05-13T15:03:33.098Z

Link: CVE-2026-46117

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:27.203

Modified: 2026-06-17T10:53:05.770

Link: CVE-2026-46117

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46117 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T13:15:24Z

Weaknesses
  • CWE-1288

    Improper Validation of Consistency within Input