HIGH 7.8

CVE-2026-46189: Linux Kernel RDMA vmw_pvrdma Double Free Vulnerability

A flaw in the Linux kernel's RDMA (Remote Direct Memory Access) vmw_pvrdma driver causes the same memory block to be freed twice when certain error conditions occur during user context allocation. When the pvrdma_alloc_ucontext() function encounters an error, it attempts to clean up by calling pvrdma_uar_free(). However, the normal cleanup path (pvrdma_dealloc_ucontext()) also calls this same free function, resulting in a double-free scenario. This type of memory corruption can lead to kernel crashes or potentially be exploited for privilege escalation on systems with unprivileged user access to RDMA devices.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-1341, CWE-415
Affected products
3 configuration(s)
Published / Modified
2026-05-28 / 2026-07-01

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.

14 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the vmw_pvrdma driver's error handling path within pvrdma_alloc_ucontext(). The function fails to account for the fact that pvrdma_dealloc_ucontext() will later invoke pvrdma_uar_free() during its cleanup routine. When pvrdma_alloc_ucontext() hits an error condition and immediately calls pvrdma_uar_free() before returning the error status, it leaves a stale pointer or freed memory reference that gets dereferenced again when the dealloc function runs. This violates memory safety guarantees and corresponds to CWE-1341 (Reuse of Uninitialized Variable) and CWE-415 (Double Free), allowing either a use-after-free or direct double-free condition. The kernel CVSS score of 7.8 (HIGH) reflects the local privilege escalation risk given that RDMA access requires some level of privilege but not administrative rights.

Business impact

Organizations running affected Linux kernels on systems with RDMA hardware (commonly found in high-performance computing clusters, data centers with InfiniBand interconnects, or specialized network appliances) face elevated risk of denial of service through kernel panics. More critically, an unprivileged local user with access to RDMA device context creation can potentially corrupt kernel memory, escalate privileges, or leak sensitive kernel data. In environments like HPC clusters or cloud data centers where RDMA is enabled for performance, this could allow lateral movement or persistence mechanisms within a trusted network segment.

Affected systems

The vulnerability affects the Linux kernel RDMA subsystem, specifically the vmw_pvrdma (VMware paravirtual RDMA) driver. This driver is typically used in VMware ESXi environments or when running Linux guests with RDMA support in virtualized settings. Unpatched Linux kernels with this driver compiled in are vulnerable. The vulnerability requires local system access and the ability to invoke RDMA context allocation, which is restricted to privileged or specific unprivileged users depending on system configuration.

Exploitability

Exploitability is moderate to high for systems where RDMA is enabled and accessible. The vulnerability requires local access (AV:L) and low privilege (PR:L) but no user interaction (UI:N). The double-free condition is deterministic and reliably triggered through legitimate RDMA API calls by an unprivileged user with appropriate device permissions. While it requires understanding of RDMA programming and the kernel memory allocator behavior, the technical bar for demonstrating denial of service is low. Privilege escalation exploitation is more complex but feasible given the scope impact (S:U indicates no privilege escalation boundary crossing in the vector) and the direct memory corruption capability.

Remediation

Apply the upstream Linux kernel patch that fixes the error handling in pvrdma_alloc_ucontext() to avoid the redundant pvrdma_uar_free() call. The fix removes the erroneous free operation from the error path, relying on pvrdma_dealloc_ucontext() to perform cleanup once the user context is properly initialized. Verify against the vendor advisory for the specific patch version available for your kernel release branch (5.10.x, 5.15.x, 6.1.x, 6.6.x, etc.). Systems without RDMA enabled or without the vmw_pvrdma driver in their kernel configuration are unaffected.

Patch guidance

Identify your kernel version using 'uname -r'. Check the Linux kernel security advisory or your Linux distribution's security updates for CVE-2026-46189 patches applicable to your kernel branch. For RHEL, Debian, Ubuntu, SUSE, and other distribution derivatives, verify patch availability through their respective security advisories. If RDMA/vmw_pvrdma is not in active use, disabling the driver at compile time or via module blacklisting provides immediate mitigation. Test patches in a non-production environment before rolling out broadly, particularly in HPC environments where kernel stability is critical. Schedule patching aligned with your change management process; the LOCAL + LOW privilege requirement means insider or compromised-account threat actors are the primary concern.

Detection guidance

Monitor for pvrdma-related kernel warnings, oops messages, or panics in kernel logs (dmesg, journalctl). Use kernel address sanitizers (KASAN) or memory debugging tools if available in your environment to detect double-free conditions. Network intrusion detection signatures are not applicable since this is a local kernel bug. Audit RDMA context creation calls and track which users have permission to access RDMA devices via 'ibacm', 'ibstat', or lsmod output for the pvrdma module. In high-security environments, monitor for crashes correlating with RDMA user context allocation attempts.

Why prioritize this

This vulnerability merits high priority despite not being on the KEV list because it combines HIGH severity (CVSS 7.8), local privilege escalation potential, deterministic exploitability, and presence in infrastructure-critical deployments (HPC, cloud data centers). The double-free in error-path memory management is a classic kernel vulnerability pattern with proven exploitation techniques. Organizations must prioritize patching systems with RDMA enabled, particularly in environments where least-privilege access controls are enforced and unprivileged users may interact with RDMA.

Risk score, explained

The CVSS 3.1 score of 7.8 reflects HIGH severity: local attack vector (AV:L) limits exposure to authenticated users, but low privilege requirement (PR:L) and absence of user interaction (UI:N) lower the barrier. The impact metrics (C:H, I:H, A:H—all high) indicate that successful exploitation can compromise confidentiality, integrity, and availability. The double-free condition reliably yields memory corruption, which typically manifests as denial of service but can enable privilege escalation or information disclosure depending on heap state during exploitation. The score appropriately prioritizes this for organizations using RDMA infrastructure.

Frequently asked questions

Do I need to worry about this if I don't use RDMA or InfiniBand?

No. If your systems do not have RDMA hardware or vmw_pvrdma driver compiled into the kernel, you are unaffected. Check with 'lsmod | grep pvrdma' or review your kernel build configuration to confirm. Most desktop and general-purpose servers do not use RDMA.

Can this vulnerability be exploited remotely?

No. The attack vector is local (AV:L), requiring an authenticated user with system access or access to an RDMA device. Remote code execution is not possible through this flaw alone. However, in cloud environments where tenants have VM access, a compromised VM could exploit this to break out or escalate privileges.

What is the difference between this and a typical use-after-free?

This is specifically a double-free: the same memory region is deallocated twice through two different execution paths. Double-frees are particularly dangerous because they corrupt heap metadata and can provide deterministic control for privilege escalation. Use-after-free involves accessing memory after one free; this bug combines both risks.

If I disable the RDMA module, am I protected?

Yes. Blacklisting the pvrdma module ('echo blacklist pvrdma >> /etc/modprobe.d/blacklist.conf') prevents it from loading and eliminates the attack surface while you prepare for patching. However, this is a temporary mitigation if your workloads depend on RDMA functionality; applying the actual patch is the proper long-term solution.

This analysis is provided for informational purposes to support security decision-making. SEC.co does not provide legal, compliance, or formal risk management advice. Organizations must validate all recommendations against their own infrastructure, kernel versions, and threat model. Patch version numbers and specific distribution release dates should be verified against official vendor advisories. No guarantee is made regarding exploit code availability, attack prevalence, or real-world exploitation. This vulnerability is analyzed as of the publication and modification dates provided; threat landscape may evolve. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).