Description
In the Linux kernel, the following vulnerability has been resolved:

RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()

mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When
ib_create_srq() fails for s1, the error branch destroys s0 but falls
through and unconditionally assigns the freed s0 and the ERR_PTR s1 to
devr->s0 and devr->s1.

This leads to several problems: the lock-free fast path checks
"if (devr->s1) return 0;" and treats the ERR_PTR as already initialised;
users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via
to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences
the ERR_PTR and double-frees s0 on teardown.

Fix by adding the same `goto unlock` in the s1 failure path.
Published: 2026-05-28
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An error path in the mlx5 RDMA driver causes the SRQ initialization routine to drop a prefix on failure: the second SRQ is freed but its pointer is still stored in the device structure. Subsequent fast‑path checks treat this dangling pointer as a valid SRQ, and later code dereferences it or frees it again, producing a classic use‑after‑free and double‑free scenario that corrupts kernel memory.

Affected Systems

This vulnerability applies to all Linux kernel releases that include the RDMA mlx5 driver before the commits cited in the references. Any system running an unpatched kernel with that driver compiled in is susceptible; the specific kernel version is not tied to a single release because the flaw is discovered in the source code rather than a particular build.

Risk and Exploitability

The EPSS score of less than 1% indicates a very low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 7.8 assigns it a medium‑to‑high severity rating. While the CVE description does not assert that a successful exploit results in privilege escalation or denial of service, the nature of the flaw—kernel memory corruption through a use‑after‑free and double‑free—could lead to a kernel crash or allow an attacker with sufficient local or RDMA‑based access to corrupt memory and potentially execute arbitrary code. Based on the description, it is inferred that the likely attack vector is a privileged local user who can create SRQs. The precise feasibility of exploitation remains unspecified in the provided data.

Generated by OpenCVE AI on June 10, 2026 at 22:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the patch commits referenced in the CVE description, which fixes the use‑after‑free flaw identified as CWE‑825.
  • If an immediate kernel upgrade is not possible, disable the mlx5 RDMA driver or prevent SRQ allocation until the patch is applied, thereby stopping the vulnerable code from executing.
  • Restrict RDMA operations to trusted users or services by enforcing appropriate access controls, such as limiting the "ib_" device access and ensuring only privileged, verified processes may perform SRQ creation, which reduces the risk of exploitation of the underlying memory corruption.

Generated by OpenCVE AI on June 10, 2026 at 22:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 29 May 2026 02:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-665

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Thu, 28 May 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-665

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1. This leads to several problems: the lock-free fast path checks "if (devr->s1) return 0;" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown. Fix by adding the same `goto unlock` in the s1 failure path.
Title RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:00:21.186Z

Reserved: 2026-05-13T15:03:33.103Z

Link: CVE-2026-46176

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:33.220

Modified: 2026-06-10T21:15:06.013

Link: CVE-2026-46176

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46176 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T22:45:27Z

Weaknesses