HIGH 7.8

CVE-2026-46112

A locking bug exists in the Linux kernel's RDMA HNS driver when creating queue pairs. During error recovery in queue pair creation, the code attempts to clean up resources without holding required synchronization locks. This unlocked cleanup can corrupt internal kernel memory structures, potentially allowing a local attacker to escalate privileges or crash the system. The vulnerability affects the error handling path specifically—the normal operation path uses proper locking.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-667
Affected products
3 configuration(s)
Published / Modified
2026-05-28 / 2026-06-24

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix unlocked call to hns_roce_qp_remove() Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks. The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory. Grab the same locks the other two callers use.

7 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46112 is a race condition in the Linux kernel's HNS RDMA driver (drivers/infiniband/hw/hns/). The function hns_roce_qp_remove() modifies shared queue pair data structures and requires callers to hold specific locks for thread safety. In the error unwind path of hns_roce_create_qp_common(), this function is called without acquiring those locks, creating a window where concurrent access can lead to memory corruption. The two normal code paths that call hns_roce_qp_remove() correctly hold the required locks; the vulnerability is isolated to error handling.

Business impact

For organizations running Linux systems with HNS RDMA hardware (primarily Huawei/HNS-based InfiniBand deployments), this vulnerability poses a local privilege escalation and denial-of-service risk. An authenticated local user could trigger queue pair creation failures to exploit the race condition, potentially gaining kernel-level access or crashing RDMA services. Systems used for high-performance computing, cloud infrastructure with RDMA networking, or data center interconnect fabric are most exposed. The impact is limited to local attack surface—remote exploitation is not possible.

Affected systems

Linux kernel versions containing the vulnerable hns_roce_qp_remove() code path in the HNS RDMA driver. This affects systems using Huawei HNS or compatible RDMA hardware. Desktop and server systems without RDMA hardware or without the HNS driver are unaffected. Verify affected kernel versions and HNS driver versions against the official Linux kernel security advisory and your vendor's release notes.

Exploitability

Exploitation requires local system access (PR:L in CVSS) and standard user privileges. An attacker must be able to trigger queue pair creation operations that fail, forcing the vulnerable error path. While not trivial, queue pair creation is accessible to RDMA-aware applications running on the system. No special hardware configuration or user interaction is needed once execution begins. The vulnerability is not currently tracked in CISA's KEV catalog, suggesting active exploitation in the wild has not yet been confirmed, but the flaw is straightforward enough that exploitation tools could emerge quickly once awareness spreads.

Remediation

Apply Linux kernel patches that add proper lock acquisition in the hns_roce_create_qp_common() error unwinding path. The fix ensures the same locks held by other callers of hns_roce_qp_remove() are acquired before cleanup. Systems should update to patched kernel versions as provided by their distribution or the Linux kernel project. For systems where immediate patching is infeasible, restrict local access and disable RDMA services if not essential.

Patch guidance

Monitor Linux kernel security advisories and your distribution's update channels for patched versions addressing this CVE. The fix is a straightforward locking addition to error handling code and should be low-risk. Test patches in a staging environment before production deployment, particularly on systems with active RDMA workloads. Verify kernel version after patching using `uname -r` and confirm the HNS RDMA driver is updated.

Detection guidance

Monitor kernel logs for memory corruption warnings, NULL pointer dereferences, or crashes in the RDMA subsystem (look for HNS driver stack traces). Systems with verbose logging can watch for queue pair creation failures followed by data corruption indicators. Intrusion detection systems can flag repeated queue pair creation attempts by unprivileged users, though this is not proof of exploitation. Kernel ASAN (Address Sanitizer) or other memory debugging tools, if enabled, would highlight corruption attempts. Check system audit logs for failed RDMA operations correlated with privilege escalation or unexpected kernel panics.

Why prioritize this

This is a HIGH severity (7.8 CVSS) local privilege escalation affecting specialized RDMA infrastructure. Prioritize based on your environment: systems with HNS RDMA hardware in trusted but multi-tenant environments need urgent patching. Organizations using RDMA for HPC, cloud networking, or storage should patch within days to weeks. Systems without RDMA hardware can deprioritize. The lack of KEV listing and remote exploitability constraints it to targeted insider threats, but privilege escalation potential and the likelihood of future exploit tools make it serious.

Risk score, explained

CVSS 7.8 (HIGH) reflects high impact (integrity and availability compromise, privilege escalation) and local attack vector. The score is appropriate: memory corruption via unlocked code can crash systems or elevate privileges, but requires local access and valid user credentials. The straightforward nature of the bug (missing locks) and the specificity to HNS hardware prevent a critical score. Organizations with no RDMA exposure should treat this as medium risk; those with HNS infrastructure should treat it as high.

Frequently asked questions

Do I need to patch if I don't use RDMA hardware?

No. If your Linux systems do not have HNS RDMA network interface cards or do not load the HNS RDMA driver, this CVE does not apply. Check your hardware inventory and kernel module list (`lsmod | grep hns`) to confirm.

Can this be exploited remotely over the network?

No. CVE-2026-46112 requires local system access and the ability to run code as an unprivileged user. Remote network-based exploitation is not possible. Your exposure depends on who has shell access to affected systems.

What is the difference between this and a normal deadlock bug?

This is a race condition where unprotected access to shared data can corrupt memory rather than simply hang. A traditional deadlock stalls execution; this vulnerability allows concurrent threads to modify queue pair structures simultaneously, causing silent data corruption and potential privilege escalation.

If I can't patch immediately, what can I do?

Restrict shell access to affected systems to trusted administrators only. Disable RDMA services if not essential. Monitor kernel logs and system stability closely. Prioritize patching systems in multi-tenant environments or with elevated privilege user access. Plan patching for your next maintenance window.

This analysis is based on publicly available information current as of the publication date. Specific patch version numbers and remediation steps should be verified against official Linux kernel security advisories, your distribution's security announcements, and vendor documentation. Security researchers and organizations should test patches thoroughly before production deployment. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence and recommends consultation with qualified security personnel for deployment decisions specific to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities

  • CVE-2026-46156MEDIUM

    CVE-2026-46156: Linux Kernel Loongson GPU Driver ADE Panic on Loongarch

  • CVE-2026-46165MEDIUM

    CVE-2026-46165: Linux Kernel Open vSwitch Vport Deadlock Denial of Service

  • CVE-2026-10001HIGH

    CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free

  • CVE-2026-10002HIGH

    CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)

  • CVE-2026-10003HIGH

    CVE-2026-10003: Chrome Use-After-Free Code Execution Vulnerability Analysis

  • CVE-2026-10006HIGH

    CVE-2026-10006: Chrome WebAudio Race Condition Remote Code Execution

  • CVE-2026-10007HIGH

    CVE-2026-10007: Chrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)

  • CVE-2026-10009HIGH

    CVE-2026-10009: Chrome Skia Integer Overflow Sandbox Escape – Patch Guidance