HIGH 7.5

CVE-2026-46265: Linux RDMA/hns WQ_MEM_RECLAIM Workqueue Bug – High Availability Risk

CVE-2026-46265 is a Linux kernel workqueue memory-reclaim configuration bug in the RDMA/hns (Huawei RoCE) driver. When the driver resets during RPC over RDMA operations, a workqueue used for interrupt handling lacks the WQ_MEM_RECLAIM flag, triggering kernel warnings. While the issue itself does not directly compromise confidentiality or integrity, it can cause availability disruptions by crashing the kernel or forcing emergency resets during high-stress memory conditions. This primarily affects systems running Sun RPC over RDMA on Huawei RoCE hardware.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix WQ_MEM_RECLAIM warning When sunrpc is used, if a reset triggered, our wq may lead the following trace: workqueue: WQ_MEM_RECLAIM xprtiod:xprt_rdma_connect_worker [rpcrdma] is flushing !WQ_MEM_RECLAIM hns_roce_irq_workq:flush_work_handle [hns_roce_hw_v2] WARNING: CPU: 0 PID: 8250 at kernel/workqueue.c:2644 check_flush_dependency+0xe0/0x144 Call trace: check_flush_dependency+0xe0/0x144 start_flush_work.constprop.0+0x1d0/0x2f0 __flush_work.isra.0+0x40/0xb0 flush_work+0x14/0x30 hns_roce_v2_destroy_qp+0xac/0x1e0 [hns_roce_hw_v2] ib_destroy_qp_user+0x9c/0x2b4 rdma_destroy_qp+0x34/0xb0 rpcrdma_ep_destroy+0x28/0xcc [rpcrdma] rpcrdma_ep_put+0x74/0xb4 [rpcrdma] rpcrdma_xprt_disconnect+0x1d8/0x260 [rpcrdma] xprt_rdma_connect_worker+0xc0/0x120 [rpcrdma] process_one_work+0x1cc/0x4d0 worker_thread+0x154/0x414 kthread+0x104/0x144 ret_from_fork+0x10/0x18 Since QP destruction frees memory, this wq should have the WQ_MEM_RECLAIM.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from improper workqueue configuration in the hns_roce driver's QP (queue pair) destruction path. When RDMA/RPC operations trigger a reset, the hns_roce_irq_workq workqueue attempts to flush work from a WQ_MEM_RECLAIM context (xprtiod worker), but the hns_roce_irq_workq itself lacks the WQ_MEM_RECLAIM flag. This violates kernel workqueue ordering constraints designed to prevent deadlocks during memory reclamation. The issue manifests as a check_flush_dependency() warning in kernel/workqueue.c, indicating a potential deadlock hazard. The fix requires marking hns_roce_irq_workq with WQ_MEM_RECLAIM so that queue pair destruction—which involves memory freeing—can safely operate within memory-pressure contexts.

Business impact

Organizations relying on NFS or RPC-based services over RDMA using Huawei RoCE adapters face potential service interruptions. During memory pressure or cluster resets, kernel warnings can escalate to kernel panics or forced system restarts. This is most critical for high-performance computing clusters, distributed storage systems (e.g., Ceph), and enterprise data centers using RoCE for low-latency I/O. Unplanned downtime and data availability issues could result. The risk is moderate in scale because it requires specific hardware and workload conditions, but the consequences are severe when triggered.

Affected systems

Linux systems using the Huawei RoCE (RDMA/hns) driver are affected. Vulnerable versions are those prior to the patch inclusion. The vulnerability is present in systems running sunrpc over RDMA, particularly on Arm64-based servers with Huawei RoCE NICs. Check your kernel version and confirm hns_roce module presence with 'lsmod | grep hns_roce'. Desktop and non-RDMA Linux systems are not affected.

Exploitability

This is not a remotely exploitable vulnerability in the traditional sense. It cannot be triggered by external network traffic. Instead, it is a latent kernel stability bug triggered internally by specific workload patterns: RDMA connection resets under high memory pressure or during sunrpc failover events. An attacker with local ability to trigger RDMA reset conditions (e.g., via deliberately degraded network conditions on local RoCE fabric) could potentially amplify the denial-of-service impact. The CVSS score of 7.5 (HIGH) reflects the availability impact (A:H) with low attack complexity, though exploitation requires local presence or control of RoCE fabric topology.

Remediation

Apply the upstream Linux kernel patch that adds the WQ_MEM_RECLAIM flag to the hns_roce_irq_workq workqueue allocation. Verify patch inclusion in your kernel version before deploying. For systems unable to patch immediately, operational mitigations include: (1) avoiding aggressive RDMA connection resets during memory pressure by tuning RPC timeout values, and (2) monitoring kernel logs for WQ_MEM_RECLAIM warnings as an early warning sign. Reboot systems exhibiting this warning to clear transient state.

Patch guidance

Check your Linux kernel version for inclusion of the RDMA/hns WQ_MEM_RECLAIM fix. The patch was merged into the kernel's rdma/hns driver code path. Verify against the official Linux kernel commit history and your distribution's kernel advisory. Most recent stable kernels (5.15+) should include this fix; check your kernel changelog. When patching, ensure your hns_roce driver module is recompiled or your kernel is fully rebuilt. Test in a staging environment by reproducing RPC over RDMA workloads with network resets to confirm the warning no longer appears in dmesg.

Detection guidance

Monitor kernel logs (dmesg, journalctl) for the specific warning: 'WQ_MEM_RECLAIM xprtiod:xprt_rdma_connect_worker is flushing !WQ_MEM_RECLAIM hns_roce_irq_workq'. Grep logs with: 'journalctl -xe | grep -i "WQ_MEM_RECLAIM"' or 'dmesg | grep check_flush_dependency'. Monitor for unexpected kernel panics or resets coinciding with RDMA workload spikes or RPC failover events. If hns_roce is loaded ('lsmod | grep hns_roce'), enable workqueue debugging in sysfs to catch early warnings: 'echo 1 > /sys/module/workqueue/parameters/debug_force_rcu_schedule'.

Why prioritize this

Prioritize this patch for systems running NFS over RDMA or any sunrpc-based services on RoCE hardware. The CVSS score of 7.5 reflects high availability impact with low complexity, but real-world impact is limited to specific hardware/workload combinations. Patch within 60 days for production clusters using RoCE; expedite to 30 days if you have observed the WQ_MEM_RECLAIM warning in your logs. Desktop systems and non-RDMA deployments can defer this patch.

Risk score, explained

The CVSS 7.5 (HIGH) score is driven by CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The 'A:H' (availability high) reflects kernel panic potential; however, the 'AV:N' (network vector) is somewhat generous here—true exploitation requires local RoCE fabric control or triggering reset conditions from within the system. The lack of confidentiality or integrity impact keeps it from CRITICAL. The score accurately captures the severity for affected deployments but overstates risk for organizations not using RoCE.

Frequently asked questions

Do I need to patch this if I'm not using RDMA?

No. This vulnerability is specific to Linux systems running the hns_roce RDMA driver. If 'lsmod | grep hns_roce' returns nothing, you are not affected. Standard Ethernet-based systems do not require this patch.

What happens if I don't patch before a reset occurs?

You may experience kernel warnings (check_flush_dependency) in dmesg, potential kernel panics, or forced reboots during RDMA resets under memory pressure. The system may become unstable but will not be compromised for confidentiality or integrity. Patching eliminates the warning and improves stability.

Is this a remote code execution vulnerability?

No. This is a kernel stability bug, not a code execution flaw. It cannot be exploited remotely over the network. It requires local workload conditions (RDMA resets, memory pressure) or local attacker presence to trigger the denial-of-service condition.

Can I work around this without patching?

Operational mitigations exist but are not reliable long-term: disable aggressive RDMA reconnect timeouts, monitor for the warning, and reboot if seen. However, patching is the only proper fix. Upgrading your kernel to a recent stable version (5.15+) likely includes this fix already.

This analysis is based on CVE-2026-46265 as of June 2026. The vulnerability is a real Linux kernel issue affecting the hns_roce RDMA driver. SEC.co does not provide legal advice, and organizations should verify patch availability and compatibility with their specific kernel version and distribution before deploying. Test patches in non-production environments first. The CVSS score reflects the vector provided and may differ from other scoring methodologies. This explainer does not constitute a full security assessment; conduct threat modeling aligned with your specific RDMA workloads and infrastructure. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).