Skip to main content

Linux Kernel CVE-2026-45898

| EUVDEUVD-2026-32364 CRITICAL
Multiple Releases of Same Resource or Handle (CWE-1341)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-527m-87rr-p4rj
9.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:26 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
9.8 (CRITICAL)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/iwcm: Fix workqueue list corruption by removing work_list

The commit e1168f0 ("RDMA/iwcm: Simplify cm_event_handler()") changed the work submission logic to unconditionally call queue_work() with the expectation that queue_work() would have no effect if work was already pending. The problem is that a free list of struct iwcm_work is used (for which struct work_struct is embedded), so each call to queue_work() is basically unique and therefore does indeed queue the work.

This causes a problem in the work handler which walks the work_list until it's empty to process entries. This means that a single run of the work handler could process item N+1 and release it back to the free list while the actual workqueue entry is still queued. It could then get reused (INIT_WORK...) and lead to list corruption in the workqueue logic.

Fix this by just removing the work_list. The workqueue already does this for us.

This fixes the following error that was observed when stress testing with ucmatose on an Intel E830 in iWARP mode:

[ 151.465780] list_del corruption. next->prev should be ffff9f0915c69c08, but was ffff9f0a1116be08. (next=ffff9f0a15b11c08) [ 151.466639] ------------[ cut here ]------------ [ 151.466986] kernel BUG at lib/list_debug.c:67! [ 151.467349] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 151.467753] CPU: 14 UID: 0 PID: 2306 Comm: kworker/u64:18 Not tainted 6.19.0-rc4+ #1 PREEMPT(voluntary) [ 151.468466] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 151.469192] Workqueue: 0x0 (iw_cm_wq) [ 151.469478] RIP: 0010:__list_del_entry_valid_or_report+0xf0/0x100 [ 151.469942] Code: c7 58 5f 4c b2 e8 10 50 aa ff 0f 0b 48 89 ef e8 36 57 cb ff 48 8b 55 08 48 89 e9 48 89 de 48 c7 c7 a8 5f 4c b2 e8 f0 4f aa ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 [ 151.471323] RSP: 0000:ffffb15644e7bd68 EFLAGS: 00010046 [ 151.471712] RAX: 000000000000006d RBX: ffff9f0915c69c08 RCX: 0000000000000027 [ 151.472243] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9f0a37d9c600 [ 151.472768] RBP: ffff9f0a15b11c08 R08: 0000000000000000 R09: c0000000ffff7fff [ 151.473294] R10: 0000000000000001 R11: ffffb15644e7bba8 R12: ffff9f092339ee68 [ 151.473817] R13: ffff9f0900059c28 R14: ffff9f092339ee78 R15: 0000000000000000 [ 151.474344] FS: 0000000000000000(0000) GS:ffff9f0a847b5000(0000) knlGS:0000000000000000 [ 151.474934] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 151.475362] CR2: 0000559e233a9088 CR3: 000000020296b004 CR4: 0000000000770ef0 [ 151.475895] PKRU: 55555554 [ 151.476118] Call Trace: [ 151.476331] <TASK> [ 151.476497] move_linked_works+0x49/0xa0 [ 151.476792] __pwq_activate_work.isra.46+0x2f/0xa0 [ 151.477151] pwq_dec_nr_in_flight+0x1e0/0x2f0 [ 151.477479] process_scheduled_works+0x1c8/0x410 [ 151.477823] worker_thread+0x125/0x260 [ 151.478108] ? __pfx_worker_thread+0x10/0x10 [ 151.478430] kthread+0xfe/0x240 [ 151.478671] ? __pfx_kthread+0x10/0x10 [ 151.478955] ? __pfx_kthread+0x10/0x10 [ 151.479240] ret_from_fork+0x208/0x270 [ 151.479523] ? __pfx_kthread+0x10/0x10 [ 151.479806] ret_from_fork_asm+0x1a/0x30 [ 151.480103] </TASK>

AnalysisAI

Kernel memory corruption in the Linux iWARP Connection Manager (RDMA/iwcm) subsystem can crash systems running RDMA workloads on iWARP-capable hardware such as Intel E830 adapters. The bug, introduced by commit e1168f0 ('RDMA/iwcm: Simplify cm_event_handler()'), causes workqueue list corruption when iwcm_work items from a free list are reused while still queued, triggering a kernel BUG and panic. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile), despite a CVSS base score of 9.8.

Technical ContextAI

The vulnerability lives in drivers/infiniband/core/iwcm.c, the iWARP (Internet Wide Area RDMA Protocol) Connection Manager that brokers connection-establishment events between iWARP-capable NICs (e.g., Intel E810/E830 in iWARP mode, Chelsio T-series) and userspace RDMA consumers. struct iwcm_work embeds a struct work_struct and is recycled from a per-cm-id free list. After commit e1168f0 simplified cm_event_handler() to unconditionally call queue_work(), the handler's internal work_list iteration could pop and free an iwcm_work entry back to the free list while its embedded work_struct was still pending in the kernel workqueue; a subsequent INIT_WORK on the recycled object then corrupted the workqueue's internal linked lists, manifesting as a list_del corruption BUG at lib/list_debug.c:67. The root cause class is a use-after-reuse / list corruption defect (CWE-416-adjacent, though no CWE was assigned by NVD); the fix simply removes the redundant work_list because the workqueue infrastructure already serializes execution.

RemediationAI

Upgrade to a Linux kernel containing the fix - vendor-released patched versions are 6.12.75, 6.18.14, 6.19.4, or 7.0, with upstream commits available at https://git.kernel.org/stable/c/7874eeacfa42177565c01d5198726671acf7adf2, https://git.kernel.org/stable/c/a6b9e793e74e372daa266fd0d58b751305877897, https://git.kernel.org/stable/c/38c5b49fffa1b760959af74f11806eeb3ef4706d, and https://git.kernel.org/stable/c/eb715133e0ae12514bba4d2d5ce1dee774476056; reference advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-45898. Until distro-built kernels (Debian/Ubuntu) ship the backport, hosts that do not actually use iWARP can blacklist or unload the iw_cm module (e.g., 'modprobe -r iw_cm' or an /etc/modprobe.d blacklist entry) which fully removes the vulnerable code path at the cost of breaking any iWARP RDMA workload on that host; in mixed environments where iWARP is required, restrict network reachability of RDMA endpoints to trusted management/storage VLANs and avoid exposing iWARP CM traffic to untrusted networks, accepting that this only narrows the attacker population rather than closing the bug.

More in Intel

View all
CVE-2017-5689 CRITICAL POC
9.8 May 02

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Mana

CVE-2012-5958 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2012-5959 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5964 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5963 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5961 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5965 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5962 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5960 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2015-2291 HIGH POC
7.8 Aug 09

Local privilege escalation to SYSTEM in Intel Ethernet diagnostics driver (IQVW32.sys/IQVW64.sys versions before 1.3.1.0

CVE-2024-44308 HIGH
8.8 Nov 20

Arbitrary code execution in Apple Safari, iOS/iPadOS, macOS Sequoia, and visionOS occurs when processing maliciously cra

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-45898 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy