Skip to main content

Linux Kernel CVE-2026-46189

| EUVDEUVD-2026-32816 HIGH
Double Free (CWE-415)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-xxxv-9j5g-vqfc
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local kernel double free reachable by any user with RDMA uverbs access (PR:L, AV:L); no user interaction; full kernel memory corruption yields high C/I/A.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 11, 2026 - 05:27 vuln.today
CVSS changed
Jun 11, 2026 - 03:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path

Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.

AnalysisAI

Double-free memory corruption in the Linux kernel's vmw_pvrdma (VMware Paravirtual RDMA) driver allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The flaw occurs in the pvrdma_alloc_ucontext() error path where pvrdma_uar_free() is invoked twice - once explicitly and again via pvrdma_dealloc_ucontext(). No public exploit identified at time of analysis, and EPSS (0.02%) indicates very low near-term exploitation probability.

Technical ContextAI

The vulnerability resides in drivers/infiniband/hw/vmw_pvrdma, the kernel-side driver for VMware's paravirtualized RDMA device used in virtualized environments to provide RDMA acceleration to guest VMs. The root cause is CWE-415 (Double Free): the pvrdma_alloc_ucontext() function calls pvrdma_uar_free() during its error handling, but the same UAR (User Access Region) cleanup is unconditionally performed again inside pvrdma_dealloc_ucontext(), so when the allocation path fails and the caller invokes dealloc, the UAR resource is released twice. Double frees on kernel slab objects can corrupt the SLUB freelist and are a well-known stepping stone toward kernel heap exploitation primitives.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3 (or later) as appropriate for your stable series, pulling the fix from the kernel.org stable commits referenced above (e.g. https://git.kernel.org/stable/c/0c63333ff97bd1275294fd12840a0efe9d7a4c59). Distribution users should apply the corresponding kernel update from their vendor once published. As a compensating control on systems that cannot be patched immediately, unload and blacklist the vmw_pvrdma module (echo 'blacklist vmw_pvrdma' > /etc/modprobe.d/vmw_pvrdma.conf and rmmod vmw_pvrdma) - the trade-off is loss of paravirtual RDMA acceleration inside affected guests, acceptable for workloads that do not actively use RDMA. Restricting which local users can open /dev/infiniband/uverbs* devices (via udev rules or rdma-core group membership) further narrows the attack surface where the driver must remain loaded.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46189 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy