CVE-2026-46176
Memory Leak in Linux Kernel RDMA/mlx5 Driver
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to use-after-free and double-free conditions in the Linux kernel's RDMA mlx5 driver. Such memory corruption issues can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.
Because the error path mishandles pointers, it may result in dereferencing invalid memory, which can compromise the reliability and security of systems using affected versions of the Linux kernel.
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's RDMA mlx5 driver, specifically in the mlx5_ib_dev_res_srq_init() function. The function allocates two Shared Receive Queues (SRQs), named s0 and s1. If the allocation of s1 fails, the error handling code incorrectly frees s0 but then continues execution and assigns both the freed s0 and an error pointer (ERR_PTR) for s1 to device resource pointers without proper checks.
This causes several issues: the fast path code mistakenly treats the error pointer as a valid initialized SRQ, users of the mlx5_ib_create_qp() function may dereference freed or invalid SRQ pointers, and during cleanup, the error pointer is dereferenced and s0 may be double-freed. The root cause is an error path fall-through that lacks proper control flow to prevent these invalid assignments.