Skip to main content

Linux Kernel mlx5e EUVDEUVD-2026-32373

| CVE-2026-45907 MEDIUM
Improper Locking (CWE-667)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-jpj8-hw92-vqgg
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local-only trigger requiring NIC error conditions; low privilege needed; pure availability impact via deadlock; no confidentiality or integrity loss.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 16:40 vuln.today
CVSS changed
Jun 24, 2026 - 16:37 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix deadlocks between devlink and netdev instance locks

In the mentioned "Fixes" commit, various work tasks triggering devlink health reporter recovery were switched to use netdev_trylock to protect against concurrent tear down of the channels being recovered. But this had the side effect of introducing potential deadlocks because of incorrect lock ordering.

The correct lock order is described by the init flow: probe_one -> mlx5_init_one (acquires devlink lock) -> mlx5_init_one_devl_locked -> mlx5_register_device -> mlx5_rescan_drivers_locked -...-> mlx5e_probe -> _mlx5e_probe -> register_netdev (acquires rtnl lock) -> register_netdevice (acquires netdev lock) => devlink lock -> rtnl lock -> netdev lock.

But in the current recovery flow, the order is wrong: mlx5e_tx_err_cqe_work (acquires netdev lock) -> mlx5e_reporter_tx_err_cqe -> mlx5e_health_report -> devlink_health_report (acquires devlink lock => boom!) -> devlink_health_reporter_recover -> mlx5e_tx_reporter_recover -> mlx5e_tx_reporter_recover_from_ctx -> mlx5e_tx_reporter_err_cqe_recover

The same pattern exists in: mlx5e_reporter_rx_timeout mlx5e_reporter_tx_ptpsq_unhealthy mlx5e_reporter_tx_timeout

Fix these by moving the netdev_trylock calls from the work handlers lower in the call stack, in the respective recovery functions, where they are actually necessary.

AnalysisAI

Deadlock in the Linux kernel mlx5e Mellanox/NVIDIA Ethernet driver allows a low-privileged local attacker to hang the system by triggering network health reporter recovery paths that acquire locks in the wrong order. Specifically, work handlers acquire the netdev instance lock before invoking devlink_health_report, which then attempts to acquire the devlink lock - reversing the mandated devlink → rtnl → netdev ordering and producing an ABBA deadlock. The vulnerability affects systems equipped with Mellanox/NVIDIA ConnectX NICs; no public exploit exists and EPSS sits at 0.02% (4th percentile), consistent with a kernel-internal locking race rather than an externally triggerable flaw.

Technical ContextAI

The affected component is net/mlx5e, the Ethernet driver for Mellanox/NVIDIA ConnectX network adapters (CPE: cpe:2.3:o:linux:linux_kernel). The root cause is CWE-667 (Improper Locking): a prior fix introduced netdev_trylock calls at the top of recovery work handlers (mlx5e_tx_err_cqe_work, mlx5e_reporter_rx_timeout, mlx5e_reporter_tx_ptpsq_unhealthy, mlx5e_reporter_tx_timeout), but those handlers also invoke devlink_health_report, which internally acquires the devlink lock. The kernel-mandated acquisition order established at probe time is devlink lock → rtnl lock → netdev lock. By holding the netdev lock and then entering devlink_health_report, the recovery path reverses this ordering, creating a classic lock-ordering (ABBA) deadlock between any concurrent devlink operation and a health-recovery work task.

RemediationAI

Upgrade the Linux kernel to 6.18.14, 6.19.4, or 7.0+, which incorporate the upstream fixes via commits 4329514c61abefe4961541b128c549b017bab5ad, 63f9d5fb4d8040077df801ca3270e2f02d55e0d9, and 83ac0304a2d77519dae1e54c9713cbe1aedf19c9, available at https://git.kernel.org/stable/c/. For systems where a kernel upgrade is not immediately feasible, an interim compensating control is to avoid conditions that trigger mlx5e health-reporter recovery: monitor and reduce TX/RX error rates on Mellanox interfaces and consider disabling the mlx5e health-reporter via ethtool devlink health commands if the operational context permits. Unloading the mlx5e module entirely eliminates the attack surface but disables the NIC. Distribution-specific backports from Red Hat, Ubuntu, SUSE, and Debian should be monitored, as the fixes involve stable-tree commits likely to be backported to LTS kernels.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2026-32373 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy