CVE-2026-45910
Awaiting Analysis Awaiting Analysis - Queue
Race Condition in RDMA RXE QP Timer Handlers

Publication date: 2026-05-27

Last updated on: 2026-05-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix race condition in QP timer handlers I encontered the following warning: WARNING: drivers/infiniband/sw/rxe/rxe_task.c:249 at rxe_sched_task+0x1c8/0x238 [rdma_rxe], CPU#0: swapper/0/0 ... libsha1 [last unloaded: ip6_udp_tunnel] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G C 6.19.0-rc5-64k-v8+ #37 PREEMPT Tainted: [C]=CRAP Hardware name: Raspberry Pi 4 Model B Rev 1.2 Call trace: rxe_sched_task+0x1c8/0x238 [rdma_rxe] (P) retransmit_timer+0x130/0x188 [rdma_rxe] call_timer_fn+0x68/0x4d0 __run_timers+0x630/0x888 ... WARNING: drivers/infiniband/sw/rxe/rxe_task.c:38 at rxe_sched_task+0x1c0/0x238 [rdma_rxe], CPU#0: swapper/0/0 ... WARNING: drivers/infiniband/sw/rxe/rxe_task.c:111 at do_work+0x488/0x5c8 [rdma_rxe], CPU#3: kworker/u17:4/93400 ... refcount_t: underflow; use-after-free. WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x138/0x1a0, CPU#3: kworker/u17:4/93400 The issue is caused by a race condition between retransmit_timer() and rxe_destroy_qp, leading to the Queue Pair's (QP) reference count dropping to zero during timer handler execution. It seems this warning is harmless because rxe_qp_do_cleanup() will flush all pending timers and requests. Example of flow causing the issue: CPU0 CPU1 retransmit_timer() { spin_lock_irqsave rxe_destroy_qp() __rxe_cleanup() __rxe_put() // qp->ref_count decrease to 0 rxe_qp_do_cleanup() { if (qp->valid) { rxe_sched_task() { WARN_ON(rxe_read(task->qp) <= 0); } } spin_unlock_irqrestore } spin_lock_irqsave qp->valid = 0 spin_unlock_irqrestore } Ensure the QP's reference count is maintained and its validity is checked within the timer callbacks by adding calls to rxe_get(qp) and corresponding rxe_put(qp) after use.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-30
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45910
EUVD
EUVD-2026-32376
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 6.19.0-rc5-64k-v8+
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a race condition in the Linux kernel's RDMA/rxe driver, specifically in the Queue Pair (QP) timer handlers.

The issue occurs due to a race between the retransmit_timer() function and rxe_destroy_qp(), which can cause the QP's reference count to drop to zero while a timer handler is still executing.

This leads to warnings such as refcount_t underflow and use-after-free conditions in the kernel logs.

The problem arises because the QP's validity and reference count are not properly maintained during concurrent timer callbacks and cleanup operations.

The fix involves ensuring the QP's reference count is correctly incremented and decremented (using rxe_get(qp) and rxe_put(qp)) and its validity checked within timer callbacks to prevent premature cleanup.

Impact Analysis

This vulnerability can cause kernel warnings and potentially unstable behavior due to race conditions and use-after-free errors in the RDMA/rxe driver.

However, it appears to be mostly harmless because the cleanup function rxe_qp_do_cleanup() flushes all pending timers and requests, reducing the risk of serious crashes.

Still, the presence of race conditions and reference count underflows can lead to unpredictable behavior, which might affect system stability or reliability in environments using RDMA over the rxe driver.

Detection Guidance

This vulnerability can be detected by monitoring kernel warning messages related to the RDMA rxe driver, specifically warnings from rxe_sched_task, retransmit_timer, and refcount underflow or use-after-free warnings.

Look for kernel log messages similar to the following warnings:

  • WARNING: drivers/infiniband/sw/rxe/rxe_task.c at rxe_sched_task
  • WARNING: refcount_t: underflow; use-after-free in lib/refcount.c

You can use the following commands to check for these warnings in your system logs:

  • dmesg | grep -i rxe
  • journalctl -k | grep -i rxe
  • dmesg | grep -i 'refcount underflow'
Mitigation Strategies

To mitigate this vulnerability, ensure that the Queue Pair's (QP) reference count is properly maintained and its validity is checked within the timer callbacks.

Specifically, calls to rxe_get(qp) should be added before using the QP in timer handlers, and corresponding calls to rxe_put(qp) should be made after use to prevent the reference count from dropping to zero prematurely.

Additionally, applying the patch or update that fixes the race condition in the Linux kernel RDMA rxe driver is recommended once available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45910. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart