Skip to main content

Linux Kernel CVE-2026-46176

| EUVDEUVD-2026-32803 HIGH
Expired Pointer Dereference (CWE-825)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-r8g9-gm9p-ff4h
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 12:00 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()

mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.

This leads to several problems: the lock-free fast path checks "if (devr->s1) return 0;" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.

Fix by adding the same goto unlock in the s1 failure path.

AnalysisAI

Use-after-free and double-free condition in the Linux kernel RDMA/mlx5 driver allows local privileged users to corrupt kernel memory through error path mishandling in mlx5_ib_dev_res_srq_init(). The flaw stems from incorrect fall-through logic when ib_create_srq() fails for the second Shared Receive Queue (s1), leaving freed s0 pointers and ERR_PTR values assigned to device resource fields. No public exploit identified at time of analysis, with EPSS scoring this at just 0.02% probability of exploitation.

Technical ContextAI

The vulnerability resides in the mlx5 InfiniBand/RDMA driver (drivers/infiniband/hw/mlx5/) which provides kernel-level support for Mellanox ConnectX network adapters that perform RDMA operations. Specifically, mlx5_ib_dev_res_srq_init() initializes two Shared Receive Queues (SRQs) used for RDMA work request processing. When the second allocation fails, the error branch correctly destroys s0 via ib_destroy_srq() but lacks a goto statement, causing execution to continue and assign the now-freed s0 pointer and the ERR_PTR-encoded s1 to devr->s0 and devr->s1. Downstream code in mlx5_ib_create_qp() then dereferences these poisoned pointers via to_msrq(devr->s0)->msrq.srqn, and mlx5_ib_dev_res_cleanup() performs a double-free during teardown. This is a classic CWE-416 (Use After Free) and CWE-415 (Double Free) pattern caused by missing control flow on an error path.

RemediationAI

Upgrade to a Linux kernel containing the fix: 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3 or later (vendor-released patch confirmed via stable tree commits at git.kernel.org/stable/c/6fd93142dd1d09000c3750af08270f5792523fe9 and sibling commits a13c2ac4d480, b087913ae882, bc2cf5935b46, c488df06bd55). The fix adds the missing 'goto unlock' in the s1 failure path. As a compensating control where kernel updates cannot be applied immediately, unload the mlx5_ib module via 'modprobe -r mlx5_ib' on systems that do not require RDMA over Mellanox hardware - this eliminates the vulnerable code path entirely but disables RDMA verbs, InfiniBand, and RoCE functionality, breaking any RDMA-dependent workloads (NVMe-oF, GPUDirect RDMA, MPI in HPC clusters). For distribution kernels, monitor your vendor's advisory channels and apply the next available kernel security update.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46176 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy