Skip to main content

Linux Kernel EUVDEUVD-2026-32808

| CVE-2026-46181 HIGH
Race Condition within a Thread (CWE-366)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-pw2f-xmgc-f22m
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 12:02 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()

Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing.

Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.

AnalysisAI

Local privilege escalation or denial-of-service in the Linux kernel's RDMA/mlx4 InfiniBand driver stems from improper RCU synchronization in mlx4_srq_event(), where the mlx4_srq structure is never freed via RCU and can be accessed before initialization completes. Local low-privileged users on systems using Mellanox ConnectX (mlx4) RDMA hardware can trigger a race condition leading to memory corruption or kernel crash, with CVSS 7.8 reflecting high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS scores this at just 0.02%, indicating minimal real-world exploitation likelihood.

Technical ContextAI

The flaw resides in the mlx4 InfiniBand/RDMA driver (drivers/infiniband/hw/mlx4) which supports Mellanox ConnectX-3 and earlier HCAs, specifically in the Shared Receive Queue (SRQ) event handler mlx4_srq_event(). The original code used RCU (Read-Copy-Update) to protect lookups in a radix_tree, but while the radix_tree itself is RCU-safe, the mlx4_srq objects it indexes are freed using normal kfree() rather than call_rcu()/kfree_rcu(), and the event handler does not actually execute inside an rcu_read_lock() critical section. This creates a classic use-after-free / time-of-check-to-time-of-use race when an asynchronous SRQ event is delivered while the object is being torn down or before refcount_set() finalizes initialization. The fix replaces the unsound RCU pattern with the SRQ spinlock plus refcount_inc_not_zero() to safely reject partially constructed objects, and reorders refcount_set() to occur only after full initialization.

RemediationAI

Vendor-released patch: upgrade to Linux 6.18.30, 7.0.7, 7.1-rc3 or later as listed in the EUVD record, applying the upstream commits 1e2a44875b6a, 8b7833f3bce3, and c9341307ea16 from git.kernel.org/stable. Distribution users should pull the corresponding stable-tree update from their vendor (RHEL, SUSE, Ubuntu, Debian, Oracle Linux) once published; consult https://nvd.nist.gov/vuln/detail/CVE-2026-46181 for cross-references. As a compensating control on systems that cannot reboot immediately, unload the mlx4_ib module (modprobe -r mlx4_ib) or blacklist it if RDMA is unused - the trade-off is loss of InfiniBand/RoCE functionality on Mellanox ConnectX-3 hardware, breaking RDMA-based storage (NFS-RDMA, iSER), MPI workloads, and any application using libibverbs against mlx4. Where the driver must remain loaded, restrict local shell access and RDMA verbs device access (/dev/infiniband/*) to trusted users only, since exploitation requires local code execution privileges.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32808 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy