HIGH 7.8

CVE-2026-46176: Linux RDMA mlx5 Use-After-Free in SRQ Initialization

A flaw in the Linux kernel's RDMA (Remote Direct Memory Access) subsystem for Mellanox adapters causes improper error handling when initializing shared receive queues. When the second queue creation fails, the kernel incorrectly leaves freed memory pointers and error codes in place instead of properly backing out. This can lead to use-after-free conditions and memory corruption when subsequent operations attempt to access or clean up these corrupted pointers.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-825
Affected products
3 configuration(s)
Published / Modified
2026-05-28 / 2026-07-02

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1. This leads to several problems: the lock-free fast path checks "if (devr->s1) return 0;" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown. Fix by adding the same `goto unlock` in the s1 failure path.

12 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46176 is a control-flow and resource management bug in mlx5_ib_dev_res_srq_init() within the RDMA/mlx5 driver. The function attempts to allocate two SRQs (s0 and s1). On ib_create_srq() failure for s1, the error handler destroys s0 but fails to return early, instead falling through and assigning both the freed s0 pointer and an ERR_PTR encoded error to devr->s0 and devr->s1. This violates the invariant that valid pointers should exist or the fields should remain uninitialized. The fastpath check "if (devr->s1) return 0" then misinterprets the ERR_PTR as successful initialization. Later, mlx5_ib_create_qp() dereferences these invalid pointers via to_msrq() macros, and mlx5_ib_dev_res_cleanup() performs double-free and ERR_PTR dereference on teardown. The fix adds a goto unlock statement in the s1 failure branch to match the s0 failure path semantics.

Business impact

Systems running affected Linux kernel versions with RDMA/Mellanox adapters face elevated risk of kernel panic, data corruption, and privilege escalation. A local attacker with sufficient privileges to trigger QP creation can exploit the use-after-free to corrupt kernel memory or achieve code execution within the kernel context. This is particularly concerning in shared hosting, HPC clusters, and cloud environments where RDMA is used for high-speed interconnect. Unplanned kernel crashes or panics disrupt workloads and services relying on RDMA communication.

Affected systems

The vulnerability affects Linux kernel versions containing the vulnerable mlx5_ib_dev_res_srq_init() function in the RDMA subsystem. Impact is limited to systems with Mellanox InfiniBand or RoCE adapters and RDMA kernel modules compiled and loaded. Systems without these adapters or without CONFIG_INFINIBAND_MLX5 enabled are not affected. Container and VM environments using RDMA pass-through are at risk if running vulnerable kernel versions.

Exploitability

Exploitation requires local access and sufficient privileges (PR:L in the CVSS vector) to invoke RDMA operations that trigger QP initialization with SRQ allocation. While not remotely exploitable, the low complexity and lack of user interaction requirements make it practical for local attackers to trigger. The vulnerability is triggered through standard RDMA API calls, not requiring specialized knowledge. No evidence of active exploitation in the wild has been disclosed, but the ease of local triggering warrants timely patching.

Remediation

Apply kernel updates from your Linux distribution that include the fix for CVE-2026-46176. The remedy is a minimal code change adding proper error-path control flow (goto unlock) to prevent the fall-through assignment of invalid pointers. Verify against vendor advisories for specific patch versions and kernel branch availability. Until patching is possible, restrict RDMA operations to trusted users and consider disabling RDMA modules if not operationally required.

Patch guidance

Obtain updates from your Linux distribution (Red Hat, Canonical, SUSE, etc.) that backport the fix to supported kernel series. Check kernel release notes and security advisories for version numbers incorporating this fix. Verify the commit message or patch content references mlx5_ib_dev_res_srq_init() error-path correction before applying. Testing on non-production RDMA infrastructure is recommended prior to production deployment to validate workload compatibility.

Detection guidance

Monitor for kernel oops or panic messages related to mlx5_ib or RDMA subsystems, particularly those involving use-after-free or NULL pointer dereference in mlx5_ib_create_qp() or mlx5_ib_dev_res_cleanup(). Enable CONFIG_DEBUG_PAGEALLOC and KASAN (Kernel Address Sanitizer) in development/test kernels to catch memory corruption early. Track RDMA QP creation and SRQ allocation patterns; repeated failures or crashes during these operations may indicate exploitation attempts or triggering of this bug.

Why prioritize this

The combination of HIGH CVSS score (7.8), local privilege requirement, and kernel memory corruption potential warrants priority patching for systems using RDMA. The use-after-free and double-free conditions can lead to privilege escalation and denial of service. While not actively exploited according to KEV data, the straightforward nature of triggering and the critical role of RDMA in infrastructure justify expedited deployment in affected environments.

Risk score, explained

CVSS 3.1 score of 7.8 (HIGH) reflects: Attack Vector Local (systems require local access); Attack Complexity Low (standard RDMA APIs trigger the bug); Privileges Required Low (attacker needs some elevated capability); User Interaction None (automatic upon triggering); Scope Unchanged (impact confined to affected system); Confidentiality High (memory corruption can leak kernel data); Integrity High (memory corruption enables arbitrary kernel writes); Availability High (kernel panic from use-after-free). The score does not account for low prevalence of RDMA deployment, which may lower real-world risk in some environments.

Frequently asked questions

Does this vulnerability affect systems without Mellanox RDMA adapters?

No. The vulnerability is specific to the mlx5_ib RDMA driver used with Mellanox InfiniBand and RoCE adapters. Systems without these adapters or with the mlx5_ib module disabled are unaffected.

Can this be exploited remotely?

No. The CVSS vector indicates local attack vector only. An attacker must have local system access and sufficient privileges to invoke RDMA operations. Remote exploitation is not possible.

What happens if I don't patch?

Affected systems remain vulnerable to local privilege escalation and kernel denial of service via use-after-free corruption. In production RDMA environments, this increases the risk of unplanned service disruptions and potential data integrity issues.

Is there a workaround if I cannot patch immediately?

Restrict local user access to RDMA operations via AppArmor, SELinux, or similar security frameworks. Alternatively, unload the mlx5_ib module if RDMA is not operationally required. These are temporary measures; patching remains the definitive fix.

This analysis is based on publicly disclosed CVE data as of the publication date. Patch availability, version numbers, and distribution timelines should be verified directly with your Linux vendor or kernel maintainers. CVSS scores represent potential impact under ideal conditions and may not reflect actual risk in your specific environment. No active exploitation has been disclosed; however, security posture should assume sophisticated attackers can develop exploits for disclosed vulnerabilities. This information is provided for informational purposes and does not constitute professional security advice. Organizations should conduct their own risk assessment and testing before deploying patches. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).