Skip to main content

Linux Kernel RDMA/EFA CVE-2026-31493

| EUVDEUVD-2026-24863 HIGH
Use After Free (CWE-416)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-fx4x-f93f-2jqv
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 14:52 vuln.today
CVSS changed
Apr 28, 2026 - 14:52 NVD
7.8 (HIGH)
Patch released
Apr 28, 2026 - 14:45 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24863
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/efa: Fix use of completion ctx after free

On admin queue completion handling, if the admin command completed with error we print data from the completion context. The issue is that we already freed the completion context in polling/interrupts handler which means we print data from context in an unknown state (it might be already used again). Change the admin submission flow so alloc/dealloc of the context will be symmetric and dealloc will be called after any potential use of the context.

AnalysisAI

Use-after-free in Linux kernel RDMA/EFA driver allows local authenticated users with low privileges to execute arbitrary code with high confidentiality, integrity, and availability impact. The vulnerability affects the admin queue completion handling where completion context data is accessed after being freed, creating a window for memory corruption exploitation. Affects kernel versions from 5.12 through 7.0-rc7, with vendor patches available for stable branches 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing identified at time of analysis.

Technical ContextAI

The vulnerability resides in the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically in the EFA (Elastic Fabric Adapter) driver used for AWS cloud network acceleration. The CWE-416 use-after-free condition occurs in the admin command submission flow where the completion context structure is deallocated in the polling/interrupt handler before error-path code attempts to print diagnostic data from that same context. This asymmetric allocation/deallocation pattern creates a classic temporal memory safety violation where freed memory is dereferenced, potentially containing attacker-controlled data if the heap slot has been reallocated. The RDMA layer operates in kernel space with elevated privileges, making memory corruption here particularly dangerous. The CPE data confirms impact across kernel versions 5.12 through 7.0 release candidates, indicating the vulnerable code was introduced in commit 68fb9f3e312a and persisted through multiple stable releases.

RemediationAI

Apply vendor-released kernel patches immediately for systems using RDMA/EFA functionality. Upstream fixes are available in commits ef3b06742c8a (mainline), 1cf95fe5dc54 (stable branch), and 0dd98aea1c0c (LTS branch) accessible at git.kernel.org/stable. For production deployments, upgrade to patched stable kernel versions 6.18.21, 6.19.11, or 7.0 final release and later as documented in EUVD-2026-24863. The patches restructure the admin command submission flow to make completion context allocation and deallocation symmetric, ensuring deallocation occurs only after all potential uses complete. For systems that cannot immediately patch, the primary compensating control is to unload or blacklist the efa kernel module if RDMA/EFA functionality is not required-add 'blacklist efa' to /etc/modprobe.d/blacklist.conf and rebuild initramfs. Note this breaks RDMA networking for AWS EFA workloads and should only be used as temporary mitigation. Restricting local user access provides defense-in-depth but does not eliminate risk from compromised low-privilege accounts. No effective workaround exists for systems requiring active EFA functionality-patching is mandatory.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31493 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy