Skip to main content

Linux Kernel CVE-2026-45910

| EUVDEUVD-2026-32376 HIGH
Race Condition (CWE-362)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-ghcq-8j2m-vfjm
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:28 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Fix race condition in QP timer handlers

I encontered the following warning: WARNING: drivers/infiniband/sw/rxe/rxe_task.c:249 at rxe_sched_task+0x1c8/0x238 [rdma_rxe], CPU#0: swapper/0/0 ... libsha1 [last unloaded: ip6_udp_tunnel] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G C 6.19.0-rc5-64k-v8+ #37 PREEMPT Tainted: [C]=CRAP Hardware name: Raspberry Pi 4 Model B Rev 1.2 Call trace: rxe_sched_task+0x1c8/0x238 [rdma_rxe] (P) retransmit_timer+0x130/0x188 [rdma_rxe] call_timer_fn+0x68/0x4d0 __run_timers+0x630/0x888 ... WARNING: drivers/infiniband/sw/rxe/rxe_task.c:38 at rxe_sched_task+0x1c0/0x238 [rdma_rxe], CPU#0: swapper/0/0 ... WARNING: drivers/infiniband/sw/rxe/rxe_task.c:111 at do_work+0x488/0x5c8 [rdma_rxe], CPU#3: kworker/u17:4/93400 ... refcount_t: underflow; use-after-free. WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x138/0x1a0, CPU#3: kworker/u17:4/93400

The issue is caused by a race condition between retransmit_timer() and rxe_destroy_qp, leading to the Queue Pair's (QP) reference count dropping to zero during timer handler execution.

It seems this warning is harmless because rxe_qp_do_cleanup() will flush all pending timers and requests.

Example of flow causing the issue:

CPU0 CPU1 retransmit_timer() { spin_lock_irqsave rxe_destroy_qp() __rxe_cleanup() __rxe_put() // qp->ref_count decrease to 0 rxe_qp_do_cleanup() { if (qp->valid) { rxe_sched_task() { WARN_ON(rxe_read(task->qp) <= 0); } } spin_unlock_irqrestore } spin_lock_irqsave qp->valid = 0 spin_unlock_irqrestore }

Ensure the QP's reference count is maintained and its validity is checked within the timer callbacks by adding calls to rxe_get(qp) and corresponding rxe_put(qp) after use.

AnalysisAI

Use-after-free condition in the Linux kernel's RDMA Soft RoCE (rxe) driver allows local privileged users to trigger memory corruption through a race between the QP retransmit_timer handler and rxe_destroy_qp. The flaw stems from the Queue Pair reference count dropping to zero while a timer callback is still executing, producing refcount underflow warnings and potential kernel memory corruption. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.

Technical ContextAI

The vulnerability resides in drivers/infiniband/sw/rxe/rxe_task.c, part of the Soft RoCE (RDMA over Converged Ethernet) software driver that emulates RDMA hardware over standard Ethernet. The bug is a classic time-of-check/time-of-use race between retransmit_timer() running on one CPU and rxe_destroy_qp() running on another: the destroy path calls __rxe_put() which decrements the QP reference count to zero, while the timer concurrently invokes rxe_sched_task() against the same QP. This is a use-after-free / refcount underflow pattern (CWE-416/CWE-911-class) on a kernel object whose lifetime is governed by reference counting, and the fix adds explicit rxe_get(qp)/rxe_put(qp) around the timer callbacks to keep the object alive for the duration of the handler.

RemediationAI

Upgrade to a patched stable kernel: 6.6.128, 6.12.75, 6.18.14, 6.19.4, or 7.0 or later, depending on the branch in use, as published via the kernel.org stable commits referenced above (e.g., https://git.kernel.org/stable/c/87bf646921430e303176edc4eb07c30160361b73). Distribution users should track their vendor's backport advisory (Red Hat, SUSE, Ubuntu, Debian) and apply the corresponding kernel update once available. As a compensating control where patching is delayed, prevent the rxe driver from loading by blacklisting the rdma_rxe module (e.g., add 'blacklist rdma_rxe' under /etc/modprobe.d/) and unbinding any existing rxe links via rdma link delete; the side effect is loss of software RDMA emulation, which only impacts workloads that explicitly use Soft RoCE for RDMA testing or low-volume traffic over standard Ethernet. Additionally, restrict access to /dev/infiniband and rdma netlink to trusted users so that unprivileged accounts cannot create or destroy QPs to trigger the race.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-45910 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy