CVE-2026-46176
Analyzed Analyzed - Analysis Complete
Memory Leak in Linux Kernel RDMA/mlx5 Driver

Publication date: 2026-05-28

Last updated on: 2026-06-10

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1. This leads to several problems: the lock-free fast path checks "if (devr->s1) return 0;" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown. Fix by adding the same `goto unlock` in the s1 failure path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-10
Generated
2026-06-17
AI Q&A
2026-05-30
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46176
EUVD
EUVD-2026-32803
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.30 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.7 (exc)
linux linux_kernel From 6.11 (inc) to 6.12.88 (exc)
linux linux_kernel From 6.6.64 (inc) to 6.6.140 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability has been fixed by correcting the error handling in the mlx5_ib_dev_res_srq_init() function in the Linux kernel. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

  • Apply the latest Linux kernel updates or patches that address this issue.
  • Avoid using vulnerable kernel versions that contain the flawed mlx5_ib_dev_res_srq_init() implementation.
Impact Analysis

This vulnerability can lead to use-after-free and double-free conditions in the Linux kernel's RDMA mlx5 driver. Such memory corruption issues can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.

Because the error path mishandles pointers, it may result in dereferencing invalid memory, which can compromise the reliability and security of systems using affected versions of the Linux kernel.

Executive Summary

This vulnerability exists in the Linux kernel's RDMA mlx5 driver, specifically in the mlx5_ib_dev_res_srq_init() function. The function allocates two Shared Receive Queues (SRQs), named s0 and s1. If the allocation of s1 fails, the error handling code incorrectly frees s0 but then continues execution and assigns both the freed s0 and an error pointer (ERR_PTR) for s1 to device resource pointers without proper checks.

This causes several issues: the fast path code mistakenly treats the error pointer as a valid initialized SRQ, users of the mlx5_ib_create_qp() function may dereference freed or invalid SRQ pointers, and during cleanup, the error pointer is dereferenced and s0 may be double-freed. The root cause is an error path fall-through that lacks proper control flow to prevent these invalid assignments.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46176. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart