CVE-2026-46126
CVE-2026-46126 is a memory cleanup bug in the Linux kernel's RDMA/mana driver that occurs during queue pair creation with RSS (Receive Side Scaling) support. When certain operations fail during setup, the kernel fails to properly release allocated work queue objects, leaving dangling resources. An unprivileged local user can trigger this condition to cause a denial of service by exhausting kernel resources or crashing the system.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- —
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-24
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss() Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound. First there is a double i-- on the first failure path due to the while loop having a i--, remove it. Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in mana_ib_create_qp_rss() within the RDMA mana driver. During error handling in the work queue table unwinding logic, two distinct bugs corrupt resource cleanup: (1) a redundant decrement operation (i--) appears both in the while loop condition and at the failure point, causing iterator underflow and skipping cleanup iterations, and (2) when mana_ib_install_cq_cb() fails, the preceding mana_create_wq_obj() allocation is never undone because the corrupted iterator causes the cleanup loop to exit prematurely. This leads to unreleased queue objects remaining in kernel memory.
Business impact
Denial of service is the primary risk. Repeated exploitation of this bug allows local attackers to leak kernel resources until system stability degrades or crashes, disrupting services relying on RDMA networking, particularly high-performance computing clusters, storage arrays, and cloud infrastructure using RDMA for low-latency communication. Recovery requires system restart. In multi-tenant environments, a single user can degrade performance for all workloads on the host.
Affected systems
Linux kernel systems with the RDMA mana driver compiled or loaded. This includes kernels built with CONFIG_INFINIBAND_MANA enabled. Primarily affects Azure cloud infrastructure and systems using Mana-based RDMA hardware, though the driver may be present on generic Linux distributions. Systems without RDMA hardware or with the mana driver disabled are not vulnerable.
Exploitability
Exploitability is straightforward for local attackers with unprivileged user access. No special capabilities or kernel modules are required beyond the ability to invoke the vulnerable code path through RDMA queue pair creation APIs. The attack is deterministic and repeatable. Remote exploitation is not possible; the attacker must have local user-level access to the affected system.
Remediation
Apply a kernel update containing the fix that corrects both the iterator double-decrement and ensures mana_create_wq_obj() cleanup occurs regardless of subsequent failure points. Verify against your Linux distribution's security advisory for the specific patched kernel version. For systems unable to patch immediately, restrict RDMA queue pair creation to trusted users via access controls if the mana driver is not essential.
Patch guidance
Monitor your Linux distribution's kernel update channels for a patched version addressing CVE-2026-46126. The fix involves correcting the work queue table unwinding logic in mana_ib_create_qp_rss(). Verify the patch notes explicitly mention removal of the redundant i-- and proper cleanup of mana_create_wq_obj() on all failure paths. Test patches in a non-production environment before deployment, particularly for RDMA-dependent workloads. If using Azure or Mana-specific distributions, prioritize their security advisories.
Detection guidance
Monitor kernel logs for repeated RDMA queue pair creation failures or resource exhaustion warnings specific to mana driver allocations. Watch for kmemleak reports indicating unreleased mana queue objects if CONFIG_DEBUG_KMEMLEAK is enabled. Network monitoring may reveal sudden drops in RDMA throughput or connection failures as kernel memory fills. On systems under attack, vmstat will show increasing memory usage with no corresponding application allocation. Enable audit logging for RDMA subsystem calls if available in your kernel configuration.
Why prioritize this
CVSS 5.5 (Medium) reflects local-only access requirement and lack of confidentiality or integrity impact. However, prioritize patching RDMA-intensive infrastructure—HPC clusters, cloud provider host kernels, and storage array controllers—as denial of service in these environments has outsized business impact. General-purpose systems with RDMA driver disabled can defer patching to routine maintenance windows.
Risk score, explained
The CVSS 3.1 score of 5.5 assigns Medium severity because: Attack Vector is Local (unprivileged user access required, not remote), Privileges Required are Low (standard user level), User Interaction is None (automatic on API call), and Impact is Availability only (resource exhaustion/crash, no data breach). The score appropriately reflects a classic local denial-of-service bug. Organizations relying on RDMA should weight this higher operationally despite the Medium base score.
Frequently asked questions
Does this affect systems without RDMA hardware?
No. Systems without RDMA NICs or with the mana driver disabled are not vulnerable. The code path is only reachable through RDMA queue pair creation APIs. Verify with 'modinfo mana' or check kernel config—if not compiled in or loaded, you are unaffected.
Can this be exploited remotely?
No. Exploitation requires local user-level access to invoke RDMA APIs. Remote attackers cannot trigger this vulnerability. It is a privilege escalation risk only from unprivileged to affecting system availability, not from outside the network.
What is the practical impact of the resource leak?
Each failed queue pair creation leaks kernel memory. Repeated triggering exhausts memory pools reserved for RDMA operations, causing new queue pair creations to fail, RDMA connections to drop, and eventually kernel memory pressure may force OOM kills or system crash. Impact scales with how frequently the error path is triggered.
Should we disable the mana driver if we don't use RDMA?
Yes, if RDMA is not in use, disabling the mana driver via kernel config or module blacklist eliminates exposure to this and related RDMA driver bugs. However, verify no dependent services rely on it first, particularly in cloud or HPC environments where it may be enabled by default.
This analysis is based on the published CVE description and CVSS vector as of the source data date. Verify all patch versions, affected kernel releases, and distribution-specific advisories directly with your Linux vendor or kernel.org before applying updates. CVSS scores represent base risk; organizational impact may differ significantly based on infrastructure architecture and RDMA deployment. This document is for informational purposes and does not constitute security advice for your specific environment. Test patches in isolated environments before production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Browse
Related vulnerabilities
- CVE-2025-71313MEDIUM
CVE-2025-71313: Linux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUM
CVE-2025-71314: Linux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2026-10004MEDIUM
CVE-2026-10004: Chrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUM
CVE-2026-10018: Integer Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUM
CVE-2026-10912: Chrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUM
CVE-2026-10916: Chrome DevTools UXSS Vulnerability | SEC.co Analysis
- CVE-2026-10998MEDIUM
CVE-2026-10998: Chrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUM
CVE-2026-11004: Chrome ANGLE Out-of-Bounds Read Memory Disclosure