Skip to main content

Linux Kernel EUVDEUVD-2026-32871

| CVE-2026-46112 HIGH
Improper Locking (CWE-667)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-qv92-qxr2-xv3j
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:49 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/hns: Fix unlocked call to hns_roce_qp_remove()

Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks. The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory.

Grab the same locks the other two callers use.

AnalysisAI

Local privilege escalation risk in the Linux kernel's RDMA/hns driver stems from an unlocked call to hns_roce_qp_remove() in the error unwind path of hns_roce_qp_remove_common(). Low-privileged local users on systems with HiSilicon RoCE (hns) RDMA hardware could trigger the error flow to corrupt kernel memory, with EPSS at 0.02% indicating no known exploitation, and no public exploit identified at time of analysis.

Technical ContextAI

The affected component is the HiSilicon Network System (hns) RDMA driver in the Linux kernel, which provides RoCE (RDMA over Converged Ethernet) support for HiSilicon network adapters. The bug lives in hns_roce_create_qp_common(), where the error cleanup path invokes hns_roce_qp_remove() without first acquiring the locks that the function requires (the same locks the two normal callers hold). This is a locking/concurrency defect - effectively a race condition that allows the QP (Queue Pair) removal data structures to be manipulated without serialization, risking memory corruption. No CWE was assigned, but the bug class corresponds to improper locking (CWE-667) leading to memory corruption.

RemediationAI

Apply the vendor-released patch by upgrading to a fixed kernel: mainline 7.1-rc3 or later, or one of the stable backports 7.0.7, 6.18.30, 6.12.88, or 6.6.140 depending on your stable series. Distribution kernels should pick up the fix via the linked stable commits at https://git.kernel.org/stable/c/0c99acbc8b6c6dd526ae475a48ee1897b61072fb and the four sibling commits listed in the NVD references; consult your distro's security tracker for the matching package. If patching is not immediately possible, compensating controls include unloading or blacklisting the hns_roce_hw_v2 module on hosts that do not require HiSilicon RDMA functionality (trade-off: disables RoCE on those NICs), or restricting access to /dev/infiniband/* and RDMA verbs interfaces to trusted users only via udev rules or namespace isolation (trade-off: breaks RDMA-using workloads run as non-root).

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32871 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy