CVE-2026-46126 - Vulnerability Details

- RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()

Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()

Sashiko points out there are two bugs here in the error unwind flow, both
related to how the WQ table is unwound.

First there is a double i-- on the first failure path due to the while loop
having a i--, remove it.

Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not
undone due to the above i--.

Published: 2026-05-28

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The defect revolves around cleanup logic in the RDMA/mana subsystem when creating a Queue Pair RSS. A duplicate decrement of an index counter causes the shutdown loop to skip an entry, while a failure in installing a completion queue callback prevents earlier work‑queue objects from being undone. This results in dangling references that may later be dereferenced or freed twice, corrupting kernel memory. Consequently, the system can crash or become unstable, yielding a denial‑of‑service.

Affected Systems

The generic Linux kernel is affected when the RDMA/mana driver contains the buggy code path. Specific version information is not listed in the advisory; however, any kernel build before the patch commit that introduces the double decrement fix is potentially vulnerable. Systems that load the mana module or use RDMA operations are the most likely to exercise the vulnerable code.

Risk and Exploitability

Based on the CVSS score of 5.5, the vulnerability is classified as medium severity. The EPSS score remains below 1%, indicating a low likelihood of widespread exploitation. Because the issue can cause a kernel crash via erroneous cleanup in the RDMA/mana subsystem, the potential impact is a denial of service. Exploitation would require triggering the error path in the creation of a Queue Pair RSS, likely through a local RDMA application running with elevated privileges, which can bring the system down or force a reboot. The attack vector is expected to be local or within a privileged user‑space RDMA workload rather than remote.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c15d7802a42402a87880a17eee89ff023e49ecc0`	affected	< 8f23eb6c50f1a4bf32fc4d62cfb9fc39e8e586cf
`c15d7802a42402a87880a17eee89ff023e49ecc0`	affected	< bb9cb36eaefa4dcb7c0d9f7a01e5c739abdd53a8
`c15d7802a42402a87880a17eee89ff023e49ecc0`	affected	< 9a05a6798177e44dfbe18393be2c1ebb89ab06fd
`c15d7802a42402a87880a17eee89ff023e49ecc0`	affected	< 34ecf795692ee57c393109f4a24ccc313091e137

Linux

affected

Version	Status	Constraints
`6.8`	affected	—
`0`	unaffected	< 6.8
`6.12.88`	unaffected	≤ 6.12.*
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c15d7802a42402a87880a17eee89ff023e49ecc0,8f23eb6c50f1a4bf32fc4d62cfb9fc39e8e586cf)`	affected	generic	—
`[c15d7802a42402a87880a17eee89ff023e49ecc0,bb9cb36eaefa4dcb7c0d9f7a01e5c739abdd53a8)`	affected	generic	—
`[c15d7802a42402a87880a17eee89ff023e49ecc0,9a05a6798177e44dfbe18393be2c1ebb89ab06fd)`	affected	generic	—
`[c15d7802a42402a87880a17eee89ff023e49ecc0,34ecf795692ee57c393109f4a24ccc313091e137)`	affected	generic	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.8`	affected	generic	—
`[0,6.8)`	unaffected	generic	—
`[6.12.88,6.13.0]`	unaffected	semver	—
`[6.18.30,6.19.0]`	unaffected	semver	—
`[7.0.7,7.1.0]`	unaffected	semver	—
`[7.1-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply an updated Linux kernel that contains the RDMA/mana fix (commit c/34ecf795692ee57c393109f4a24ccc313091e137).
If an immediate kernel upgrade is not possible, intentionally disable RDMA support or unload the mana module (e.g., using sysctl or kernel boot parameters) to prevent the driver from loading.
Monitor kernel logs such as dmesg or /var/log/kern.log for OOPS messages or RDMA/mana related errors and react promptly if they occur.

Generated by OpenCVE AI on May 29, 2026 at 03:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00175.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/34ecf795692ee57c393109f4a24ccc313091e137
https://git.kernel.org/stable/c/8f23eb6c50f1a4bf32fc4d62cfb9fc39e8e586cf
https://git.kernel.org/stable/c/9a05a6798177e44dfbe18393be2c1ebb89ab06fd
https://git.kernel.org/stable/c/bb9cb36eaefa4dcb7c0d9f7a01e5c739abdd53a8
https://lore.kernel.org/linux-cve-announce/2026052816-CVE-2026-46126-2575@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46126
https://www.cve.org/CVERecord?id=CVE-2026-46126

History

Fri, 29 May 2026 02:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416 CWE-762

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-459
References		https://lore.kernel.org/linux-cve-announce/2026052816-CVE-2026-46126-2575@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46126 https://www.cve.org/CVERecord?id=CVE-2026-46126
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Thu, 28 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416 CWE-762

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss() Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound. First there is a double i-- on the first failure path due to the while loop having a i--, remove it. Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.
Title		RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/34ecf795692ee57c393109f4a24ccc313091e137 https://git.kernel.org/stable/c/8f23eb6c50f1a4bf32fc4d62cfb9fc39e8e586cf https://git.kernel.org/stable/c/9a05a6798177e44dfbe18393be2c1ebb89ab06fd https://git.kernel.org/stable/c/bb9cb36eaefa4dcb7c0d9f7a01e5c739abdd53a8

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:35:41.364Z

Updated: 2026-06-14T17:56:23.136Z

Reserved: 2026-05-13T15:03:33.099Z

Link: CVE-2026-46126

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:28.140

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46126

Redhat

Severity : Low

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46126 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T04:00:13Z

Weaknesses

CWE-459
Incomplete Cleanup

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object