Skip to main content

Linux Kernel EUVDEUVD-2026-32876

| CVE-2026-46117 HIGH
Reachable Assertion (CWE-617)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-c74j-26pg-r222
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH 7.8
Analysis Generated
May 30, 2026 - 11:51 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()

Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.

Just reject it outright and fail the QP creation.

AnalysisAI

Local privilege escalation and kernel memory corruption in the Linux kernel's RDMA/mana driver allows authenticated local users to trigger a user-reachable WARN_ON() and subsequently corrupt kernel memory by specifying Work Queues that share the same Completion Queue through the uAPI of mana_ib_create_qp_rss(). The flaw affects Linux 6.8 through versions before the patched 6.12.91, 6.18.30, 7.0.7, and 7.1-rc3 releases. No public exploit identified at time of analysis, and EPSS scoring is low at 0.02%.

Technical ContextAI

The vulnerability resides in the Microsoft Azure Network Adapter (MANA) InfiniBand/RDMA driver (drivers/infiniband/hw/mana) in the Linux kernel, specifically the mana_ib_create_qp_rss() function that handles Queue Pair (QP) creation for Receive Side Scaling (RSS). RDMA QPs are paired with Completion Queues (CQs) to signal I/O completion events. The user-space API permitted callers to register multiple Work Queues (WQs) referencing the same CQ - a state the driver did not expect - which tripped a WARN_ON() assertion and proceeded into a code path that corrupted kernel structures. The fix simply validates the input and rejects QP creation when the unsupported sharing condition is detected, eliminating the assertion and the resulting memory corruption. No CWE was assigned, but the root cause is an input validation gap (CWE-20 class) producing improper resource handling in privileged kernel context.

RemediationAI

Vendor-released patch: upgrade to Linux 6.12.91, 6.18.30, 7.0.7, or 7.1-rc3 (or any later release) which contain the commits that reject QP creation when WQs share a CQ; the canonical fixes are at https://git.kernel.org/stable/c/9cc0c6b1ba8cd5c55aef043e1384de0a8b4efa71 and the parallel stable backports listed in the ENISA EUVD entry. On distribution kernels, install the vendor-provided kernel security update once available and reboot. As a compensating control until patching, unload or blacklist the mana_ib kernel module (modprobe -r mana_ib; add 'blacklist mana_ib' under /etc/modprobe.d/) on hosts that do not require Azure MANA RDMA - this fully removes the vulnerable code path but disables RDMA acceleration for the MANA NIC. Alternatively, restrict access to /dev/infiniband/uverbs* via udev rules or namespace/container policies so only trusted users can open RDMA verbs devices, accepting that legitimate RDMA workloads running as non-root will lose functionality.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32876 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy