Skip to main content

Linux Kernel CVE-2026-46084

| EUVDEUVD-2026-32467 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-996r-prhc-hfj8
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local trigger via RDMA QP create/destroy needs device access so AV:L/PR:L/AC:L; kernel use-after-free corruption supports high C/I/A within an unchanged scope.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 17:24 vuln.today
CVSS changed
Jun 24, 2026 - 17:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

RDMA/mana_ib: Disable RX steering on RSS QP destroy

When an RSS QP is destroyed (e.g. DPDK exit), mana_ib_destroy_qp_rss() destroys the RX WQ objects but does not disable vPort RX steering in firmware. This leaves stale steering configuration that still points to the destroyed RX objects.

If traffic continues to arrive (e.g. peer VM is still transmitting) and the VF interface is subsequently brought up (mana_open), the firmware may deliver completions using stale CQ IDs from the old RX objects. These CQ IDs can be reused by the ethernet driver for new TX CQs, causing RX completions to land on TX CQs:

WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana] (is_sq == false) WARNING: mana_gd_process_eq_events+0x209/0x290 (cq_table lookup fails)

Fix this by disabling vPort RX steering before destroying RX WQ objects. Note that mana_fence_rqs() cannot be used here because the fence completion is delivered on the CQ, which is polled by user-mode (e.g. DPDK) and not visible to the kernel driver.

Refactor the disable logic into a shared mana_disable_vport_rx() in mana_en, exported for use by mana_ib, replacing the duplicate code. The ethernet driver's mana_dealloc_queues() is also updated to call this common function.

AnalysisAI

Use-after-free in the Linux kernel's RDMA mana_ib driver (Microsoft Azure Network Adapter) lets a local user trigger stale firmware RX steering after destroying an RSS QP, so incoming completions land on reused CQ IDs and corrupt kernel state. It affects Linux deployments on Azure VMs using MANA with RDMA/DPDK; an attacker who can create and destroy RSS QPs (e.g., via a DPDK application exit while a peer keeps transmitting) can drive completions onto TX CQs and crash or corrupt the driver. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 5th percentile), indicating low real-world exploitation likelihood.

Technical ContextAI

The flaw is in drivers/infiniband mana_ib, the kernel RDMA provider for the Microsoft Azure Network Adapter (MANA), working alongside the mana_en ethernet driver. When mana_ib_destroy_qp_rss() tears down an RSS (Receive Side Scaling) queue pair it frees the RX work-queue objects but never asks firmware to disable vPort RX steering. The steering table therefore keeps pointing at freed RX/CQ objects (CWE-416, use-after-free). If a peer VM keeps transmitting and the VF is later brought up via mana_open, firmware delivers completions using the stale CQ IDs of the destroyed RX objects; because the ethernet driver recycles those CQ IDs for new TX CQs, RX completions are processed against TX CQ contexts, producing the observed mana_poll_tx_cq (is_sq == false) and mana_gd_process_eq_events cq_table lookup failures. The fix disables vPort RX steering before destroying the RX WQ objects, factoring the logic into a shared mana_disable_vport_rx() exported from mana_en; mana_fence_rqs() is unusable here because the fence completion is delivered on a CQ polled by user mode (DPDK), invisible to the kernel.

RemediationAI

Apply the vendor-released kernel patch: upgrade to a fixed stable release - 6.6.140 or later on the 6.6 series, 6.12.86 on 6.12, 6.18.27 on 6.18, 7.0.4 on 7.0, or 7.1-rc1 - or apply the corresponding stable commits (3be5ed233de03b00ae868cfc06e95331d8d9007c, 6a2d6273b6c3581ce7b90ce17b5cbb4efd19438f, 8ba804869382ce307f2a15f5f6f2adfd791f41dc, dbeb256e8dd87233d891b170c0b32a6466467036, f1ccc4d500a0b87a5599343fc2f798048836e184) from git.kernel.org/stable. The patch disables vPort RX steering before RX WQ destruction, eliminating the stale steering window. Where immediate patching is not possible, the most effective compensating control is to restrict who can use MANA RDMA / DPDK on the affected guests: limit access to the RDMA device nodes (e.g., /dev/infiniband) to trusted users, since exploitation requires the local ability to create and destroy RSS QPs - the trade-off is that it blocks legitimate DPDK/RDMA workloads. If RDMA on MANA is not required, unloading or not loading the mana_ib module removes the vulnerable code path entirely, at the cost of RDMA functionality. Consult the vuldb.com/vuln/366307 advisory for tracking.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46084 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy