Skip to main content

Linux Kernel EUVDEUVD-2026-27650

| CVE-2026-43120 HIGH
Double Free (CWE-415)
2026-05-06 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:29 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/irdma: Fix double free related to rereg_user_mr

If IB_MR_REREG_TRANS is set during rereg_user_mr, the umem will be released and a new one will be allocated in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans fails after the new umem is allocated, it releases the umem, but does not set iwmr->region to NULL. The problem is that this failure is propagated to the user, who will then call ibv_dereg_mr (as they should). Then, the dereg_mr path will see a non-NULL umem and attempt to call ib_umem_release again.

Fix this by setting iwmr->region to NULL after ib_umem_release.

Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region")

AnalysisAI

Double-free memory corruption in Linux kernel RDMA/irdma driver allows local authenticated users to cause denial of service or potentially escalate privileges. The vulnerability occurs during memory region re-registration (rereg_user_mr) when IB_MR_REREG_TRANS flag is set: if umem allocation succeeds but subsequent steps fail, the umem is freed without nulling the pointer, leading to double-free when userspace calls ibv_dereg_mr. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation in the wild, with no active exploitation confirmed (not in CISA KEV).

Technical ContextAI

This affects the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically the Intel Ethernet RDMA (irdma) driver introduced to support re-registration of memory regions. The vulnerability is a use-after-free/double-free condition in the ib_umem (InfiniBand user memory) management code. When applications use the IB_MR_REREG_TRANS flag to change the translation (virtual-to-physical mapping) of a memory region, the irdma_rereg_mr_trans function releases the old umem structure via ib_umem_release() and allocates a new one. However, if allocation succeeds but a subsequent validation or setup step fails, the error path calls ib_umem_release() again without setting iwmr->region to NULL. When the failure propagates to userspace and the application correctly calls ibv_dereg_mr() to clean up, the deregistration path encounters the dangling pointer and attempts to free the already-freed memory. This is a classic double-free vulnerability (related to CWE-415, though not explicitly tagged), typically exploitable for denial of service and potentially for privilege escalation if an attacker can control heap layout. The affected CPE strings indicate broad impact across Linux kernel versions containing the RDMA/irdma driver code introduced in commit 5ac388db27c4.

RemediationAI

Apply vendor-released kernel patches immediately for RDMA-enabled systems: upgrade to Linux kernel 6.6.136+ (for 6.6.x series), 6.12.83+ (for 6.12.x), 6.18.24+ (for 6.18.x), 6.19.14+ (for 6.19.x), or 7.0+ for mainline. Patch details available at https://git.kernel.org/stable/c/29a3edd7004bb635d299fb9bc6f0ea4ef13ed5a2 and related stable branch commits. For systems that cannot immediately patch, compensating controls include: (1) unload or blacklist the irdma kernel module if RDMA functionality is not required (add 'blacklist irdma' to /etc/modprobe.d/blacklist.conf and rebuild initramfs); (2) restrict /dev/infiniband/* device access to trusted users only via udev rules or filesystem permissions, preventing unprivileged local users from opening RDMA device files; (3) disable user memory registration capabilities via RDMA subsystem parameters if the deployment does not require memory re-registration operations. Note that disabling RDMA entirely will break dependent applications (HPC workloads, NVMe-oF, distributed storage). Verify application compatibility before applying mitigations in production environments.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27650 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy