HIGH 7.8

CVE-2026-46117

A flaw in the Linux kernel's RDMA/mana driver allows unprivileged local users to trigger a kernel warning and corrupt memory by creating queue pairs (QPs) that share the same completion queue (CQ) through the user-space API. The vulnerability bypasses validation logic that should reject this invalid configuration, leading to kernel memory corruption. The fix enforces proper validation to reject such requests at creation time rather than allowing them to proceed and corrupt state.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-1288, CWE-617
Affected products
3 configuration(s)
Published / Modified
2026-05-28 / 2026-06-30

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel. Just reject it outright and fail the QP creation.

9 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46117 is a local privilege escalation vulnerability in the Linux kernel's RDMA/mana (Microsoft Azure Network Adapter) driver affecting the mana_ib_create_qp_rss() function. The vulnerability stems from insufficient input validation when users specify work queue (WQ) configurations via the user-space API. Specifically, when a user requests multiple WQs to share the same completion queue (CQ), the kernel fails to validate this invalid configuration. Instead of rejecting the request early, the code proceeds to a WARN_ON() statement that can be triggered by an unprivileged user, followed by kernel memory corruption. The resolution adds explicit validation to reject such configurations before the invalid state propagates, preventing both the WARN_ON() and subsequent memory corruption.

Business impact

This vulnerability poses a significant internal security risk for organizations running affected Linux kernel versions on systems where untrusted local users have access. Exploitation allows privilege escalation from an unprivileged user context to kernel-level compromise, enabling adversaries to read sensitive kernel memory, modify critical system data, or trigger denial of service. For cloud providers and multi-tenant environments using RDMA-capable hardware, this creates cross-tenant risk if workloads from different customers share physical infrastructure. Systems in research, HPC, or data center environments where RDMA is deployed should treat this as a high-priority concern.

Affected systems

The vulnerability affects Linux kernel versions with the RDMA/mana driver. The mana_ib_create_qp_rss() function is invoked during queue pair creation in RDMA operations, so systems must have RDMA capability enabled and the mana driver compiled in or loaded as a module. This is primarily relevant on Azure infrastructure or systems with Microsoft Azure Network Adapter hardware. Standard Linux distributions on non-Azure infrastructure are unaffected unless they explicitly enable RDMA/mana support. Verify your kernel configuration and hardware to determine exposure.

Exploitability

The vulnerability is highly exploitable by local attackers with user-level privileges (PR:L per CVSS vector). No user interaction or special conditions are required beyond the ability to invoke the affected code path through the RDMA user-space API. The exploit is straightforward: craft a queue pair creation request specifying multiple WQs with a shared CQ, which an unprivileged user can do. The kernel will process the invalid configuration, trigger the WARN_ON(), and corrupt memory. No specialized tools or out-of-band access are required, making this a practical local privilege escalation vector for any user on an affected system.

Remediation

Apply kernel patches that add input validation to reject queue pair creation requests when multiple work queues attempt to share the same completion queue. This fix is delivered in updated kernel releases that contain the corrected mana_ib_create_qp_rss() function. Organizations should prioritize patching systems running affected kernel versions, particularly those in multi-tenant environments or where untrusted local user access exists. Additionally, restrict RDMA access to trusted users where possible, and disable RDMA/mana support on systems where it is not required.

Patch guidance

Update to a kernel version that includes the fix for mana_ib_create_qp_rss() validation. Consult your Linux distribution's security advisory for specific patched kernel versions and deployment timelines. For distributions on Azure infrastructure, verify the release notes and apply updates through your standard kernel update mechanism. Patch testing should verify that legitimate RDMA queue pair creation still functions correctly while invalid configurations are now rejected with an appropriate error message.

Detection guidance

Monitor kernel logs for rejected queue pair creation attempts with error codes indicating CQ validation failures in RDMA operations. Systems with audit logging enabled should capture user-space RDMA API calls that trigger validation rejections. Look for any instances of the mana_ib_create_qp_rss() function being called with suspicious parameters. On systems still running unpatched kernels, detection of the WARN_ON() in kernel logs is a reliable indicator that the vulnerability was triggered. Endpoint Detection and Response (EDR) solutions monitoring privilege escalation attempts may flag related activity if the exploitation reaches kernel state manipulation.

Why prioritize this

This vulnerability merits immediate prioritization due to the combination of local privilege escalation capability, straightforward exploitability, and high impact severity. The CVSS score of 7.8 reflects the ability of an unprivileged attacker to achieve complete kernel compromise. The vulnerability is not yet listed on CISA's Known Exploited Vulnerabilities catalog, but the straightforward nature of exploitation makes public proof-of-concept development likely once awareness increases. Organizations should treat this as urgent for systems in sensitive environments or multi-tenant configurations.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) is assigned due to: Local Attack Vector (AV:L) reflecting the requirement for local access; Low Attack Complexity (AC:L) indicating no special conditions beyond standard API access; Low Privileges Required (PR:L) showing unprivileged user sufficiency; No User Interaction (UI:N); and Unchanged Scope (S:U). The impact ratings of High for Confidentiality, Integrity, and Availability reflect the potential for complete kernel compromise, enabling memory disclosure, data modification, and system crashes. This score appropriately captures the severity for local privilege escalation vectors with kernel-level compromise potential.

Frequently asked questions

Does this vulnerability affect my Linux system?

Only if your system has RDMA capability enabled with the mana (Microsoft Azure Network Adapter) driver loaded or compiled in. This is primarily relevant on Azure infrastructure or specific hardware configurations. Most standard Linux desktops and servers are unaffected unless explicitly running with RDMA support. Check your kernel configuration and loaded modules to confirm exposure.

Can this be exploited remotely or does it require local access?

This vulnerability requires local user access to the system. It cannot be exploited remotely. An attacker must have an unprivileged user account on the affected system to invoke the RDMA user-space API and trigger the flaw.

What exactly happens when this vulnerability is exploited?

When exploited, the vulnerability allows an unprivileged user to create a queue pair configuration that should be rejected. The kernel fails validation, triggers a warning, and then corrupts its own memory. This can lead to kernel crashes (denial of service), disclosure of sensitive kernel memory (information disclosure), or potentially arbitrary kernel code execution if the attacker can manipulate the corrupted memory region strategically.

How quickly should I apply patches for this issue?

Given the HIGH severity rating, straightforward exploitability, and privilege escalation potential, you should plan to patch affected systems within your standard emergency patch window—typically within 1-2 weeks. Prioritize systems in multi-tenant environments, shared hosting scenarios, or where untrusted users have local access. If patching requires kernel reboots, coordinate with your change management process but do not delay excessively.

This analysis is based on available vulnerability data as of the publication date. CVSS scores and severity ratings are provided by the source vulnerability database and interpreted by SEC.co analysts. Specific patched kernel versions and detailed patch availability should be verified against your Linux distribution's official security advisory. This analysis does not constitute security advice for any specific deployment; conduct your own risk assessment based on your infrastructure, threat model, and business context. No proof-of-concept code or detailed exploitation techniques are provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities

  • CVE-2026-37220HIGH

    CVE-2026-37220: FlexRIC v2.0.0 Denial of Service via SCTP Assertion Failure

  • CVE-2026-37221HIGH

    CVE-2026-37221: FlexRIC v2.0.0 Unauthenticated Denial-of-Service via RIC Message Crash

  • CVE-2026-37222HIGH

    CVE-2026-37222: FlexRIC E2AP Denial-of-Service Vulnerability – Analysis & Remediation

  • CVE-2026-37223HIGH

    CVE-2026-37223: FlexRIC E2AP Dispatcher Assertion DoS – High-Severity O-RAN Vulnerability

  • CVE-2026-37224HIGH

    FlexRIC v2.0.0 Denial of Service Vulnerability (CVE-2026-37224) — E2_SETUP_REQUEST Crash

  • CVE-2026-37225HIGH

    CVE-2026-37225: FlexRIC v2.0.0 Remote Denial of Service

  • CVE-2026-37227HIGH

    CVE-2026-37227: FlexRIC v2.0.0 Near-RT RIC Denial of Service (CWE-617)

  • CVE-2026-37228HIGH

    CVE-2026-37228: FlexRIC v2.0.0 Remote Denial-of-Service via SCTP Buffer Overflow