CVE-2026-46181 - Vulnerability Details

- RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()

Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()

Sashiko points out the radix_tree itself is RCU safe, but nothing ever
frees the mlx4_srq struct with RCU, and it isn't even accessed within the
RCU critical section. It also will crash if an event is delivered before
the srq object is finished initializing.

Use the spinlock since it isn't easy to make RCU work, use
refcount_inc_not_zero() to protect against partially initialized objects,
and order the refcount_set() to be after the srq is fully initialized.

Published: 2026-05-28

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A concurrency bug in the Linux kernel’s RDMA driver mis‑uses RCU to handle SRQ events, causing the system to crash when an event is delivered before the SRQ object is fully initialized. The flaw does not provide a path to arbitrary code execution but results in an immediate service interruption when the kernel receives such an event.

Affected Systems

The vulnerability resides in the Linux kernel’s mlx4 RDMA module. No specific kernel version range is listed in the inputs, so any kernel build prior to the fix commit may be affected. The fix is included in the latest stable kernel releases as indicated by the Git references.

Risk and Exploitability

The CVSS score is 7.8, indicating a high severity. The EPSS score is < 1%, suggesting a low likelihood of exploitation. This vulnerability is not listed in the CISA KEV catalog. In environments that use RDMA SRQ events, the risk manifests as an abrupt kernel panic, which would interrupt service. Based on the description, the attack vector is inferred to be local or remote when an attacker can drive RDMA traffic that reaches the vulnerable driver, potentially leading to a denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`30353bfc43a1602c020f31d95cf27182ffd23824`	affected	< 1e2a44875b6afb4add1115f7f3351dcbeb6f273d
`30353bfc43a1602c020f31d95cf27182ffd23824`	affected	< 8b7833f3bce35cb0d01c1503781523c099c675f0
`30353bfc43a1602c020f31d95cf27182ffd23824`	affected	< c9341307ea16b9395c2e4c9c94d8499d91fe31d0

Linux

affected

Version	Status	Constraints
`4.9`	affected	—
`0`	unaffected	< 4.9
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.1:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.1:rc2::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[30353bfc43a1602c020f31d95cf27182ffd23824,1e2a44875b6afb4add1115f7f3351dcbeb6f273d)`	affected	code_commit	—
`[30353bfc43a1602c020f31d95cf27182ffd23824,8b7833f3bce35cb0d01c1503781523c099c675f0)`	affected	code_commit	—
`[30353bfc43a1602c020f31d95cf27182ffd23824,c9341307ea16b9395c2e4c9c94d8499d91fe31d0)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.9`	affected	generic	—
`[0,4.9)`	unaffected	semver	—
`[6.18.30,6.19.0)`	unaffected	semver	—
`[7.0.7,7.1.0)`	unaffected	semver	—
`[7.1-rc3,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a version that contains the fix commit referenced in the advisory (e.g., kernel 6.6 or later as appropriate).
If an update is not immediately possible, apply the patch from the commit 1e2a44875b6afb4add1115f7f3351dcbeb6f273d to your kernel source and rebuild.
As a temporary alternative, if the updated kernel cannot be deployed, disable SRQ support or RDMA features in the kernel configuration to prevent the trigger.

Generated by OpenCVE AI on June 11, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00136.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1e2a44875b6afb4add1115f7f3351dcbeb6f273d
https://git.kernel.org/stable/c/8b7833f3bce35cb0d01c1503781523c099c675f0
https://git.kernel.org/stable/c/c9341307ea16b9395c2e4c9c94d8499d91fe31d0
https://lore.kernel.org/linux-cve-announce/2026052829-CVE-2026-46181-ecff@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46181
https://www.cve.org/CVERecord?id=CVE-2026-46181

History

Thu, 11 Jun 2026 03:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:7.1:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.1:rc2::::::

Sat, 30 May 2026 11:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 29 May 2026 02:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-362 CWE-665

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-366
References		https://lore.kernel.org/linux-cve-announce/2026052829-CVE-2026-46181-ecff@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46181 https://www.cve.org/CVERecord?id=CVE-2026-46181
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Thu, 28 May 2026 13:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-665

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing. Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.
Title		RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1e2a44875b6afb4add1115f7f3351dcbeb6f273d https://git.kernel.org/stable/c/8b7833f3bce35cb0d01c1503781523c099c675f0 https://git.kernel.org/stable/c/c9341307ea16b9395c2e4c9c94d8499d91fe31d0

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:36:34.706Z

Updated: 2026-06-14T18:00:45.599Z

Reserved: 2026-05-13T15:03:33.103Z

Link: CVE-2026-46181

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-28T10:16:33.743

Modified: 2026-06-11T03:00:40.303

Link: CVE-2026-46181

Redhat

Severity : Important

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46181 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-11T05:30:06Z

Weaknesses

CWE-366
Race Condition within a Thread
NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object