Description
In the Linux kernel, the following vulnerability has been resolved:

RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()

Sashiko points out that the user can specify WQs sharing the same CQ as a
part of the uAPI and this will trigger the WARN_ON() then go on to corrupt
the kernel.

Just reject it outright and fail the QP creation.
Published: 2026-05-28
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates in the RDMA mana subsystem of the Linux kernel, specifically within the mana_ib_create_qp_rss() function. User input that specifies work queues sharing the same completion queue triggers a WARN_ON() guard, which can lead to kernel memory corruption. If the guard is hit, the function continues execution and corrupts internal kernel data structures, which may allow an attacker to crash the system or potentially execute arbitrary code with kernel privileges. The flaw is a memory corruption issue as it fails to validate user‑provided parameters before use.

Affected Systems

This flaw affects all Linux kernel builds that contain the unpatched mana RDMA driver. No specific version range is listed in the notification, so any kernel variant shipping with the vulnerable code is potentially impacted until the fix is applied. The issue is tied to the Linux kernel product group.

Risk and Exploitability

Because the flaw involves kernel memory corruption, its severity is high. The CVSS score is not publicly published, but the lack of an EPSS score and absence from the CISA KEV list do not diminish the intrinsic risk of a kernel crash or privilege escalation. The likely attack vector is local or remote access to the RDMA user‑level API; an attacker who can provide crafted WQ identifiers to a running system can trigger the guard. With trivial prerequisites (RDMA client code), kernel corruption can be achieved. Until a kernel upgrade is available, unmitigated systems remain at risk.

Generated by OpenCVE AI on May 28, 2026 at 12:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel version that includes the mana_ib_create_qp_rss() patch which removes the WARN_ON guard and rejects QP creation with invalid input.
  • If an immediate upgrade is not possible, disable or unload the RDMA mana driver to prevent usage of the vulnerable function.
  • For environments that must use RDMA, monitor kernel logs for WARN_ON triggers and block or remediate suspicious RDMA QP creation requests.

Generated by OpenCVE AI on May 28, 2026 at 12:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
CWE-416

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel. Just reject it outright and fail the QP creation.
Title RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-28T09:35:32.344Z

Reserved: 2026-05-13T15:03:33.098Z

Link: CVE-2026-46117

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:27.203

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46117

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T12:30:16Z

Weaknesses