CVE-2026-46176
Published: May 28, 2026
Modified: May 30, 2026
CVSS v3.1
7.8
Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1. This leads to several problems: the lock-free fast path checks "if (devr->s1) return 0;" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown. Fix by adding the same `goto unlock` in the s1 failure path.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected b6334d2356fc0922ed01457960f74923058a353a - < a13c2ac4d480b734342c6fbf8249fc48afd675f3affected 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467 - < bc2cf5935b4665172235341163315905197ae91daffected 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467 - < b087913ae88256df66620f7ba0a9776716aeef7eaffected 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467 - < 6fd93142dd1d09000c3750af08270f5792523fe9affected 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467 - < c488df06bd552bb8b6e14fa0cfd5ad986c6e9525+1 more versions |
Linux | Linux | affected 6.11unaffected 0 - < 6.11unaffected 6.6.140 - <= 6.6.*unaffected 6.12.88 - <= 6.12.*unaffected 6.18.30 - <= 6.18.*+2 more versions |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now