RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()_CVE-2026-46176

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()

mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When
ib_create_srq() fails for s1, the error branch destroys s0 but falls
through and unconditionally assigns the freed s0 and the ERR_PTR s1 to
devr->s0 and devr->s1.

This leads to several problems: the lock-free fast path checks
"if (devr->s1) return 0;" and treats the ERR_PTR as already initialised;
users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via
to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences
the ERR_PTR and double-frees s0 on teardown.

Fix by adding the same `goto unlock` in the s1 failure path.

Basic Information

ID CVE-2026-46176

Source Linux

Published May 28, 2026 at 09:36

Modified May 30, 2026 at 10:48

Affected Product

Vendor Linux

Product Linux

Version b6334d2356fc0922ed01457960f74923058a353a

Affected Versions Linux Linux b6334d2356fc0922ed01457960f74923058a353a
Linux Linux 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467
Linux Linux 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467
Linux Linux 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467
Linux Linux 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467
Linux Linux 6.6.64
Linux Linux 6.11

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()\n\nmlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When\nib_create_srq() fails for s1, the error branch destroys s0 but falls\nthrough and unconditionally assigns the freed s0 and the ERR_PTR s1 to\ndevr->s0 and devr->s1.\n\nThis leads to several problems: the lock-free fast path checks\n\"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised;\nusers in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via\nto_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences\nthe ERR_PTR and double-frees s0 on teardown.\n\nFix by adding the same `goto unlock` in the s1 failure path.",
    "published": "2026-05-28T09:36:30.398Z",
    "modified": "2026-05-30T10:48:43.173Z",
    "type": "cve",
    "title": "RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/a13c2ac4d480b734342c6fbf8249fc48afd675f3\nhttps://git.kernel.org/stable/c/bc2cf5935b4665172235341163315905197ae91d\nhttps://git.kernel.org/stable/c/b087913ae88256df66620f7ba0a9776716aeef7e\nhttps://git.kernel.org/stable/c/6fd93142dd1d09000c3750af08270f5792523fe9\nhttps://git.kernel.org/stable/c/c488df06bd552bb8b6e14fa0cfd5ad986c6e9525",
    "id": "CVE-2026-46176",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux b6334d2356fc0922ed01457960f74923058a353a\nLinux Linux 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467\nLinux Linux 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467\nLinux Linux 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467\nLinux Linux 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467\nLinux Linux 6.6.64\nLinux Linux 6.11",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "b6334d2356fc0922ed01457960f74923058a353a",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply