7.8

CVE-2026-46176

RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()

In the Linux kernel, the following vulnerability has been resolved:

RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()

mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When
ib_create_srq() fails for s1, the error branch destroys s0 but falls
through and unconditionally assigns the freed s0 and the ERR_PTR s1 to
devr->s0 and devr->s1.

This leads to several problems: the lock-free fast path checks
"if (devr->s1) return 0;" and treats the ERR_PTR as already initialised;
users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via
to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences
the ERR_PTR and double-frees s0 on teardown.

Fix by adding the same `goto unlock` in the s1 failure path.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 6.6.64 < 6.6.140
LinuxLinux Kernel Version >= 6.11 < 6.12.88
LinuxLinux Kernel Version >= 6.13 < 6.18.30
LinuxLinux Kernel Version >= 6.19 < 7.0.7
LinuxLinux Kernel Version7.1 Updaterc1
LinuxLinux Kernel Version7.1 Updaterc2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.14% 0.038
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7 1 5.9
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-825 Expired Pointer Dereference

The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.

https://git.kernel.org/stable/c/a13c2ac4d480b734342c6fbf8249fc48afd675f3
Patch
https://git.kernel.org/stable/c/bc2cf5935b4665172235341163315905197ae91d
Patch
https://git.kernel.org/stable/c/b087913ae88256df66620f7ba0a9776716aeef7e
Patch
https://git.kernel.org/stable/c/6fd93142dd1d09000c3750af08270f5792523fe9
Patch
https://git.kernel.org/stable/c/c488df06bd552bb8b6e14fa0cfd5ad986c6e9525
Patch
https://access.redhat.com/errata/RHSA-2026:30848
https://access.redhat.com/errata/RHSA-2026:33215
https://access.redhat.com/security/cve/CVE-2026-46176
https://bugzilla.redhat.com/show_bug.cgi?id=2482594
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46176.json
https://access.redhat.com/errata/RHSA-2026:33685
https://access.redhat.com/errata/RHSA-2026:34094