CVE-2026-31492
Use-After-Initialization in Linux RDMA irdma QP Cleanup
Publication date: 2026-04-22
Last updated on: 2026-04-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 5.14 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.13 (inc) to 6.18.21 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.11 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.131 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.80 (exc) |
| linux | linux_kernel | From 5.14.1 (inc) to 6.1.168 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-908 | The product uses or accesses a resource that has not been initialized. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's RDMA/irdma component. Specifically, during the creation of a queue pair (qp) in the function irdma_create_qp, if the function ib_copy_to_udata fails, the cleanup function irdma_destroy_qp is called. This cleanup attempts to wait on a completion object called free_qp, but this completion is not initialized before use, which can lead to undefined behavior or errors. The fix involves initializing the free_qp completion before the ib_copy_to_udata call to ensure proper handling.
How can this vulnerability impact me? :
If this vulnerability is triggered, it could cause improper cleanup during queue pair creation failures in the RDMA/irdma subsystem of the Linux kernel. This might lead to system instability, crashes, or resource leaks due to waiting on an uninitialized completion object.