{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46176", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.103Z", "datePublished": "2026-05-28T09:36:30.398Z", "dateUpdated": "2026-05-28T09:36:30.398Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-28T09:36:30.398Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()\n\nmlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When\nib_create_srq() fails for s1, the error branch destroys s0 but falls\nthrough and unconditionally assigns the freed s0 and the ERR_PTR s1 to\ndevr->s0 and devr->s1.\n\nThis leads to several problems: the lock-free fast path checks\n\"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised;\nusers in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via\nto_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences\nthe ERR_PTR and double-frees s0 on teardown.\n\nFix by adding the same `goto unlock` in the s1 failure path."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/hw/mlx5/main.c"], "versions": [{"version": "b6334d2356fc0922ed01457960f74923058a353a", "lessThan": "a13c2ac4d480b734342c6fbf8249fc48afd675f3", "status": "affected", "versionType": "git"}, {"version": "5895e70f2e6e8dc67b551ca554d6fcde0a7f0467", "lessThan": "bc2cf5935b4665172235341163315905197ae91d", "status": "affected", "versionType": "git"}, {"version": "5895e70f2e6e8dc67b551ca554d6fcde0a7f0467", "lessThan": "b087913ae88256df66620f7ba0a9776716aeef7e", "status": "affected", "versionType": "git"}, {"version": "5895e70f2e6e8dc67b551ca554d6fcde0a7f0467", "lessThan": "6fd93142dd1d09000c3750af08270f5792523fe9", "status": "affected", "versionType": "git"}, {"version": "5895e70f2e6e8dc67b551ca554d6fcde0a7f0467", "lessThan": "c488df06bd552bb8b6e14fa0cfd5ad986c6e9525", "status": "affected", "versionType": "git"}, {"version": "6.6.64", "lessThan": "6.6.140", "status": "affected", "versionType": "semver"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/hw/mlx5/main.c"], "versions": [{"version": "6.11", "status": "affected"}, {"version": "0", "lessThan": "6.11", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.140", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.88", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.30", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.7", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.64", "versionEndExcluding": "6.6.140"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.12.88"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.18.30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "7.0.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "7.1-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a13c2ac4d480b734342c6fbf8249fc48afd675f3"}, {"url": "https://git.kernel.org/stable/c/bc2cf5935b4665172235341163315905197ae91d"}, {"url": "https://git.kernel.org/stable/c/b087913ae88256df66620f7ba0a9776716aeef7e"}, {"url": "https://git.kernel.org/stable/c/6fd93142dd1d09000c3750af08270f5792523fe9"}, {"url": "https://git.kernel.org/stable/c/c488df06bd552bb8b6e14fa0cfd5ad986c6e9525"}], "title": "RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()\n\nmlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When\nib_create_srq() fails for s1, the error branch destroys s0 but falls\nthrough and unconditionally assigns the freed s0 and the ERR_PTR s1 to\ndevr->s0 and devr->s1.\n\nThis leads to several problems: the lock-free fast path checks\n\"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised;\nusers in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via\nto_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences\nthe ERR_PTR and double-frees s0 on teardown.\n\nFix by adding the same `goto unlock` in the s1 failure path."}], "id": "CVE-2026-46176", "lastModified": "2026-05-28T10:16:33.220", "metrics": {}, "published": "2026-05-28T10:16:33.220", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6fd93142dd1d09000c3750af08270f5792523fe9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a13c2ac4d480b734342c6fbf8249fc48afd675f3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b087913ae88256df66620f7ba0a9776716aeef7e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bc2cf5935b4665172235341163315905197ae91d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c488df06bd552bb8b6e14fa0cfd5ad986c6e9525"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}