CVE-2026-46176

HIGH EPSS 3.6%
Published May 28, 20261mo ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published May 28, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1. This leads to several problems: the lock-free fast path checks "if (devr->s1) return 0;" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown. Fix by adding the same `goto unlock` in the s1 failure path.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
3.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 6

VendorProductVersionRange
linuxlinux_kernel*≥6.6.64  –  <6.6.140
linuxlinux_kernel*≥6.11  –  <6.12.88
linuxlinux_kernel*≥6.13  –  <6.18.30
linuxlinux_kernel*≥6.19  –  <7.0.7
linuxlinux_kernel7.1any
linuxlinux_kernel7.1any

References 5

  • git.kernel.org https://git.kernel.org/stable/c/6fd93142dd1d09000c3750af08270f5792523fe9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a13c2ac4d480b734342c6fbf8249fc48afd675f3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b087913ae88256df66620f7ba0a9776716aeef7e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/bc2cf5935b4665172235341163315905197ae91d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c488df06bd552bb8b6e14fa0cfd5ad986c6e9525
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/6fd93142dd1d09000c3750af08270f5792523fe9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a13c2ac4d480b734342c6fbf8249fc48afd675f3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b087913ae88256df66620f7ba0a9776716aeef7e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/bc2cf5935b4665172235341163315905197ae91d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c488df06bd552bb8b6e14fa0cfd5ad986c6e9525
    Patch