Description
In the Linux kernel, the following vulnerability has been resolved:

RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()

Sashiko points out there are two bugs here in the error unwind flow, both
related to how the WQ table is unwound.

First there is a double i-- on the first failure path due to the while loop
having a i--, remove it.

Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not
undone due to the above i--.
Published: 2026-05-28
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The defect revolves around cleanup logic in the RDMA/mana subsystem when creating a Queue Pair RSS. A duplicate decrement of an index counter causes the shutdown loop to skip an entry, while a failure in installing a completion queue callback prevents earlier work‑queue objects from being undone. This results in dangling references that may later be dereferenced or freed twice, corrupting kernel memory. Consequently, the system can crash or become unstable, yielding a denial‑of‑service.

Affected Systems

The generic Linux kernel is affected when the RDMA/mana driver contains the buggy code path. Specific version information is not listed in the advisory; however, any kernel build before the patch commit that introduces the double decrement fix is potentially vulnerable. Systems that load the mana module or use RDMA operations are the most likely to exercise the vulnerable code.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The documented effect of a kernel crash indicates high risk. Exploitation would require the attacker to trigger the error path—most likely by running a local RDMA application that stimulates a QP RSS creation failure. With sufficient privilege or local access, this can be used to bring the system down, forcing a reboot or shutdown. The attack vector is likely local or within a privileged user space RDMA workload rather than remote.

Generated by OpenCVE AI on May 28, 2026 at 13:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an updated Linux kernel that contains the RDMA/mana fix (commit c/34ecf795692ee57c393109f4a24ccc313091e137).
  • If an immediate kernel upgrade is not possible, intentionally disable RDMA support or unload the mana module (e.g., using sysctl or kernel boot parameters) to prevent the driver from loading.
  • Monitor kernel logs such as dmesg or /var/log/kern.log for OOPS messages or RDMA/mana related errors and react promptly if they occur.

Generated by OpenCVE AI on May 28, 2026 at 13:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-762

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss() Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound. First there is a double i-- on the first failure path due to the while loop having a i--, remove it. Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.
Title RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-28T09:35:41.364Z

Reserved: 2026-05-13T15:03:33.099Z

Link: CVE-2026-46126

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:28.140

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T13:45:14Z

Weaknesses