Skip to main content

Linux Kernel EUVDEUVD-2026-32885

| CVE-2026-46126 MEDIUM
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-7m9c-w4qh-f86c
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with low privilege required to issue RDMA QP calls; no confidentiality or integrity impact; kernel crash produces high availability impact only.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
SUSE
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 16:53 vuln.today
CVSS changed
Jun 24, 2026 - 16:52 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()

Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound.

First there is a double i-- on the first failure path due to the while loop having a i--, remove it.

Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.

AnalysisAI

Improper error-path cleanup in the RDMA/mana driver's mana_ib_create_qp_rss() function allows a local low-privileged user on Azure VMs with Microsoft MANA NICs to crash the kernel. Two logic bugs in the WQ table unwind - a redundant i-- that skips a cleanup iteration, and a missed mana_destroy_wq_obj() call when mana_ib_install_cq_cb() fails - leave kernel objects in a dangling state, producing a high-availability (DoS) impact. No public exploit exists and EPSS is at the 5th percentile; this vulnerability is not in CISA KEV.

Technical ContextAI

The vulnerability resides in the RDMA (Remote Direct Memory Access) driver for the Microsoft Azure Network Adapter (MANA) in the Linux kernel, first introduced at commit c15d7802a42402a87880a17eee89ff023e49ecc0 in Linux 6.8. The mana_ib_create_qp_rss() function creates Queue Pair objects with RSS (Receive Side Scaling) for hardware-distributed receive queuing. Its error unwind loop contains two defects: (1) a superfluous i-- inside the while loop body that conflicts with the loop's own decrement, causing the cleanup iterator to skip one WQ object, and (2) because of the resulting off-by-one index state, mana_destroy_wq_obj() is never called to undo mana_create_wq_obj() when mana_ib_install_cq_cb() returns an error. This constitutes an incomplete cleanup / improper resource release pattern (conceptually CWE-459 / CWE-415, though no CWE is formally assigned). The CPE cpe:2.3:o:linux:linux_kernel:* confirms the scope is the upstream Linux kernel across all architectures, but the code path is only reachable when the mana_ib module is loaded, which requires MANA NIC hardware exclusive to Azure. The 'Information Disclosure' tag present in source data conflicts with the CVSS C:N metric and the commit description - no confidentiality impact is indicated and this tag appears to be a tagging artifact.

RemediationAI

Upgrade the Linux kernel to a patched stable release matching your running branch: 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3. All four fix commits are available via kernel.org stable trees and linked above. If an immediate kernel update is operationally infeasible and RDMA functionality is not required, unloading the mana_ib kernel module (modprobe -r mana_ib) eliminates the vulnerable code path with the trade-off of disabling RDMA/InfiniBand capabilities on MANA NICs; this is acceptable for workloads that do not use RDMA. Additionally, restricting RDMA device file descriptor access to only authorized users or groups (via udev rules or cgroup device policies) reduces the privilege surface even on unpatched systems. Systems outside Azure with MANA NICs, or those where the mana_ib module is not loaded, require no action.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32885 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy