HIGH 7.8

CVE-2026-46181: Linux mlx4 RDMA Driver RCU Misuse Privilege Escalation

A synchronization flaw in the Linux kernel's RDMA/mlx4 driver allows a local attacker to cause memory corruption or system crash. The vulnerability stems from improper use of Read-Copy-Update (RCU) locking in the mlx4_srq_event() function, which fails to protect against race conditions during Shared Receive Queue (SRQ) initialization and event delivery. An attacker with local access can trigger device events before SRQ objects finish initializing, leading to kernel memory access violations with high impact to confidentiality, integrity, and availability.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-366
Affected products
3 configuration(s)
Published / Modified
2026-05-28 / 2026-07-06

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing. Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.

14 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46181 is a synchronization vulnerability in the Linux kernel's RDMA/mlx4 driver. The mlx4_srq_event() function incorrectly relies on RCU protection without actually freeing mlx4_srq structures via RCU callbacks, and accesses occur outside the RCU critical section, negating the protection model. More critically, the function does not guard against partially initialized SRQ objects—if an RDMA event arrives before initialization completes, the handler dereferences uninitialized pointers. The fix replaces RCU with proper spinlock-based synchronization, uses refcount_inc_not_zero() to atomically validate object initialization state, and orders refcount_set() after full SRQ initialization to ensure coherent state. This is a CWE-366 (Race Condition within a Thread) issue affecting the RDMA subsystem.

Business impact

This vulnerability affects any Linux system running the mlx4 RDMA driver (commonly found in InfiniBand-capable infrastructure and HPC environments). Exploitation can lead to kernel panic, denial of service, or potential privilege escalation and data corruption. Organizations relying on RDMA for low-latency cluster communication, storage networks, or virtualized environments face operational disruption if unpatched. The flaw is particularly concerning in multi-tenant environments where local users may be present.

Affected systems

The vulnerability affects the Linux kernel across versions that include the mlx4 RDMA driver. This primarily impacts systems with Mellanox InfiniBand adapters or compatible hardware using mlx4-based RDMA. Affected deployments include HPC clusters, enterprise storage systems (NVMe over Fabrics, iSER), and virtual machine hosts using RDMA for live migration or network offload. Consumer systems without RDMA hardware are not impacted.

Exploitability

Exploitation requires local access and low privileges (standard user context). No special capabilities or authentication are required beyond basic system access. An attacker can trigger RDMA device events through unprivileged operations, potentially racing against SRQ initialization or forcing event delivery during setup. The vulnerability is deterministic on systems with active RDMA workloads and timing-dependent on idle systems, making lab reproduction feasible but real-world exploitation dependent on workload characteristics. It is not currently known to be actively exploited in the wild.

Remediation

Apply the kernel patch that implements spinlock-based synchronization in mlx4_srq_event(), replaces implicit RCU protection with explicit refcount_inc_not_zero() checks, and ensures refcount_set() is called only after complete SRQ initialization. Verify the fix against the vendor advisory to confirm the exact patch version for your kernel branch (mainline, stable, or distribution-specific). Recompile and reboot systems running the mlx4 driver.

Patch guidance

Obtain and apply the security patch from your Linux distribution's kernel update mechanism or from kernel.org. The fix modifies drivers/infiniband/hw/mlx4/qp.c. Verify patch application by confirming that (1) mlx4_srq_event() now uses spinlock protection, (2) refcount_inc_not_zero() gates event handling, and (3) refcount_set() is deferred until after SRQ initialization. Test in a non-production environment first, particularly on systems with active InfiniBand or NVMe-over-Fabrics workloads, to ensure stability. No special configuration changes are required post-patch.

Detection guidance

Monitor kernel logs for repeated 'mlx4' or 'RDMA' error messages, particularly those mentioning SRQ events or memory access violations. Tools like auditd can track RDMA subsystem calls. Look for kernel warnings or panics that reference mlx4_srq_event() in stack traces. On running systems, review dmesg for rate-limited kernel warnings or BUG/OOPS messages shortly after RDMA device events. Network telemetry showing unexpected InfiniBand frame errors or link resets may also indicate exploitation attempts. Intrusion detection systems should flag local process activity that manipulates RDMA device event queues or performs rapid device state transitions.

Why prioritize this

Prioritize this patch for systems running the mlx4 RDMA driver in multi-tenant or shared-access environments. The HIGH severity (CVSS 7.8) reflects local exploitability combined with high impact on all three security dimensions. While not yet in the known exploited vulnerabilities catalog, the low barrier to trigger events and deterministic crash paths make this a medium-term risk. Organizations running HPC, enterprise storage, or virtualization clusters should patch within 2–4 weeks; others can follow standard monthly patching cycles.

Risk score, explained

CVSS 3.1 score of 7.8 (HIGH) reflects: Attack Vector Local (requires presence on target), Attack Complexity Low (race is straightforward), Privileges Required Low (standard user suffices), User Interaction None (event-driven), Scope Unchanged (kernel-only), and impact of High on all three CIA dimensions (crash = availability loss; memory corruption = integrity/confidentiality loss). The score appropriately weights local-only access against high kernel-level impact. Organizations should not underestimate this score in RDMA-enabled infrastructure.

Frequently asked questions

Does this affect systems without InfiniBand hardware or RDMA capability?

No. This vulnerability is specific to the mlx4 RDMA driver, which is only present and active on systems with Mellanox InfiniBand adapters or compatible RDMA hardware. Standard Ethernet-only systems are not affected.

Can this be exploited remotely over the network?

No. Exploitation requires local code execution (unprivileged user access) on the target system. An attacker cannot trigger this vulnerability remotely; they must have a shell or user account on the affected machine.

What is the risk if I cannot patch immediately?

In single-user or non-shared systems, risk is lower if local users are trusted. In multi-tenant environments (shared HPC clusters, cloud VMs, containers), restrict RDMA access, disable the mlx4 module if unused, or isolate RDMA workloads to trusted processes while awaiting patches.

Why does this affect RDMA specifically?

RDMA hardware requires kernel-level event handlers to manage connection and transfer state asynchronously. The mlx4 driver's SRQ event handler was unsafe against partially initialized objects and timing races between initialization and event delivery—a problem endemic to early RDMA driver designs that has been progressively fixed across vendor implementations.

This analysis is based on public vulnerability data available as of the stated publication date. CVSS scores and patch details reflect information from kernel.org and associated vendor advisories at time of publication. Organizations should verify patch availability and compatibility with their specific kernel version and distribution before deployment. Testing in a non-production environment is strongly recommended. This writeup does not constitute legal or compliance advice; consult your organization's security and legal teams regarding deadline and regulatory obligations. Actual exploitability may vary based on kernel configuration, driver version, hardware, and workload characteristics. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).