CVE-2026-45898
Awaiting Analysis Awaiting Analysis - Queue
Workqueue List Corruption in Linux Kernel RDMA/iwcm

Publication date: 2026-05-27

Last updated on: 2026-05-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix workqueue list corruption by removing work_list The commit e1168f0 ("RDMA/iwcm: Simplify cm_event_handler()") changed the work submission logic to unconditionally call queue_work() with the expectation that queue_work() would have no effect if work was already pending. The problem is that a free list of struct iwcm_work is used (for which struct work_struct is embedded), so each call to queue_work() is basically unique and therefore does indeed queue the work. This causes a problem in the work handler which walks the work_list until it's empty to process entries. This means that a single run of the work handler could process item N+1 and release it back to the free list while the actual workqueue entry is still queued. It could then get reused (INIT_WORK...) and lead to list corruption in the workqueue logic. Fix this by just removing the work_list. The workqueue already does this for us. This fixes the following error that was observed when stress testing with ucmatose on an Intel E830 in iWARP mode: [ 151.465780] list_del corruption. next->prev should be ffff9f0915c69c08, but was ffff9f0a1116be08. (next=ffff9f0a15b11c08) [ 151.466639] ------------[ cut here ]------------ [ 151.466986] kernel BUG at lib/list_debug.c:67! [ 151.467349] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 151.467753] CPU: 14 UID: 0 PID: 2306 Comm: kworker/u64:18 Not tainted 6.19.0-rc4+ #1 PREEMPT(voluntary) [ 151.468466] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 151.469192] Workqueue: 0x0 (iw_cm_wq) [ 151.469478] RIP: 0010:__list_del_entry_valid_or_report+0xf0/0x100 [ 151.469942] Code: c7 58 5f 4c b2 e8 10 50 aa ff 0f 0b 48 89 ef e8 36 57 cb ff 48 8b 55 08 48 89 e9 48 89 de 48 c7 c7 a8 5f 4c b2 e8 f0 4f aa ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 [ 151.471323] RSP: 0000:ffffb15644e7bd68 EFLAGS: 00010046 [ 151.471712] RAX: 000000000000006d RBX: ffff9f0915c69c08 RCX: 0000000000000027 [ 151.472243] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9f0a37d9c600 [ 151.472768] RBP: ffff9f0a15b11c08 R08: 0000000000000000 R09: c0000000ffff7fff [ 151.473294] R10: 0000000000000001 R11: ffffb15644e7bba8 R12: ffff9f092339ee68 [ 151.473817] R13: ffff9f0900059c28 R14: ffff9f092339ee78 R15: 0000000000000000 [ 151.474344] FS: 0000000000000000(0000) GS:ffff9f0a847b5000(0000) knlGS:0000000000000000 [ 151.474934] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 151.475362] CR2: 0000559e233a9088 CR3: 000000020296b004 CR4: 0000000000770ef0 [ 151.475895] PKRU: 55555554 [ 151.476118] Call Trace: [ 151.476331] <TASK> [ 151.476497] move_linked_works+0x49/0xa0 [ 151.476792] __pwq_activate_work.isra.46+0x2f/0xa0 [ 151.477151] pwq_dec_nr_in_flight+0x1e0/0x2f0 [ 151.477479] process_scheduled_works+0x1c8/0x410 [ 151.477823] worker_thread+0x125/0x260 [ 151.478108] ? __pfx_worker_thread+0x10/0x10 [ 151.478430] kthread+0xfe/0x240 [ 151.478671] ? __pfx_kthread+0x10/0x10 [ 151.478955] ? __pfx_kthread+0x10/0x10 [ 151.479240] ret_from_fork+0x208/0x270 [ 151.479523] ? __pfx_kthread+0x10/0x10 [ 151.479806] ret_from_fork_asm+0x1a/0x30 [ 151.480103] </TASK>
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-30
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45898
EUVD
EUVD-2026-32364
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19.0-rc4+ (inc)
linux linux_kernel 6.19.0-rc4+
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's RDMA/iwcm component. It is caused by a logic error in how work items are queued and processed in the workqueue system. Specifically, the code was changed to always call queue_work() without checking if the work was already pending. Because a free list of work structures is used, each call to queue_work() actually queues a new work item, leading to multiple queued works referencing the same underlying structure.

This causes corruption in the workqueue's internal linked list because the work handler may process and release a work item back to the free list while it is still queued, allowing it to be reused prematurely. This results in list corruption and kernel crashes, as observed during stress testing.

The fix involved removing the redundant work_list, relying on the workqueue's own mechanisms to manage queued work, thus preventing the corruption.

Impact Analysis

This vulnerability can cause kernel crashes and instability due to corruption of internal kernel data structures related to workqueues. Such crashes can lead to denial of service conditions on affected systems running the vulnerable Linux kernel.

In environments using RDMA with iWARP mode, especially under heavy load or stress testing, this bug can trigger system faults, potentially disrupting critical services or applications relying on the kernel's networking and RDMA capabilities.

Detection Guidance

This vulnerability manifests as a workqueue list corruption in the Linux kernel, which can cause kernel BUGs and invalid opcode errors. Detection involves monitoring kernel logs for specific error messages related to list corruption and workqueue failures.

  • Check kernel logs for messages like 'list_del corruption' or 'kernel BUG at lib/list_debug.c:67!' using the command: dmesg | grep -i 'list_del corruption'
  • Look for Oops or BUG messages related to workqueues with: dmesg | grep -i 'workqueue'
  • Monitor system logs (e.g., /var/log/kern.log or /var/log/messages) for similar errors using: sudo grep -i 'list_del corruption' /var/log/kern.log

Since the issue occurs under stress testing with RDMA/iWARP workloads, running stress tests with tools like ucmatose in iWARP mode may help reproduce the issue for detection.

Mitigation Strategies

The vulnerability is fixed by removing the work_list in the RDMA/iwcm component of the Linux kernel, which prevents workqueue list corruption.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix (commit e1168f0 or later) which addresses the workqueue list corruption issue.
  • Avoid running stress tests or workloads that heavily use RDMA/iWARP features until the kernel is updated.
  • Monitor kernel logs for signs of the issue and reboot the system if kernel panics or BUGs occur.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45898. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart