CVE-2026-46084
Awaiting Analysis Awaiting Analysis - Queue
Memory Corruption in Linux Kernel RDMA/mana_ib

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/mana_ib: Disable RX steering on RSS QP destroy When an RSS QP is destroyed (e.g. DPDK exit), mana_ib_destroy_qp_rss() destroys the RX WQ objects but does not disable vPort RX steering in firmware. This leaves stale steering configuration that still points to the destroyed RX objects. If traffic continues to arrive (e.g. peer VM is still transmitting) and the VF interface is subsequently brought up (mana_open), the firmware may deliver completions using stale CQ IDs from the old RX objects. These CQ IDs can be reused by the ethernet driver for new TX CQs, causing RX completions to land on TX CQs: WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana] (is_sq == false) WARNING: mana_gd_process_eq_events+0x209/0x290 (cq_table lookup fails) Fix this by disabling vPort RX steering before destroying RX WQ objects. Note that mana_fence_rqs() cannot be used here because the fence completion is delivered on the CQ, which is polled by user-mode (e.g. DPDK) and not visible to the kernel driver. Refactor the disable logic into a shared mana_disable_vport_rx() in mana_en, exported for use by mana_ib, replacing the duplicate code. The ethernet driver's mana_dealloc_queues() is also updated to call this common function.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46084
EUVD
EUVD-2026-32467
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's RDMA/mana_ib component related to RX steering on RSS QP destruction. When an RSS QP (Receive Side Scaling Queue Pair) is destroyed, the function mana_ib_destroy_qp_rss() removes the RX Work Queue (WQ) objects but fails to disable the vPort RX steering in the firmware. This leaves a stale steering configuration that still points to the destroyed RX objects.

If traffic continues to arrive, for example from a peer virtual machine still transmitting, and the virtual function (VF) interface is brought back up, the firmware may deliver completions using stale Completion Queue (CQ) IDs from the old RX objects. These CQ IDs can be reused by the ethernet driver for new transmit (TX) CQs, causing RX completions to incorrectly land on TX CQs, which can lead to warnings and potential malfunctions.

The fix involves disabling vPort RX steering before destroying RX WQ objects to prevent stale steering configurations. The disable logic was refactored into a shared function mana_disable_vport_rx() to avoid code duplication.

Impact Analysis

This vulnerability can cause the network driver to misroute RX completions to TX completion queues due to stale steering configurations. This misrouting can lead to warnings, errors, or instability in network traffic handling within the system.

In practical terms, this could result in degraded network performance, potential data loss, or unexpected behavior in applications relying on RDMA or DPDK for high-performance networking.

Detection Guidance

This vulnerability involves stale RX steering configuration in the firmware after an RSS QP is destroyed, which can cause RX completions to incorrectly land on TX completion queues, leading to warnings in the mana driver.

Detection can be done by monitoring system logs for specific warning messages related to the mana driver, such as:

  • WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana] (is_sq == false)
  • WARNING: mana_gd_process_eq_events+0x209/0x290 (cq_table lookup fails)

You can use commands like `dmesg | grep mana` or `journalctl -k | grep mana` to search for these warnings in kernel logs.

Mitigation Strategies

The vulnerability is fixed by disabling vPort RX steering before destroying RX WQ objects in the mana_ib driver.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix where mana_disable_vport_rx() is called before destroying RX WQ objects.
  • Ensure that the ethernet driver's mana_dealloc_queues() function calls the updated common disable function.
  • Avoid using mana_fence_rqs() as a workaround since it does not address the issue.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46084. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart