CVE-2026-46181
Analyzed Analyzed - Analysis Complete
Race Condition in Linux Kernel RDMA/mlx4 SRQ Event Handling

Publication date: 2026-05-28

Last updated on: 2026-06-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing. Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-11
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46181
EUVD
EUVD-2026-32808
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.19 (inc) to 7.0.7 (exc)
linux linux_kernel From 4.9 (inc) to 6.18.30 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is related to the Linux kernel's RDMA mlx4 driver, specifically in the mlx4_srq_event() function. The issue arises from improper use of Read-Copy-Update (RCU) synchronization. Although the radix_tree data structure is RCU safe, the mlx4_srq struct is not freed using RCU and is not accessed within an RCU critical section. This can cause a crash if an event is delivered before the srq object has finished initializing. The fix involves using a spinlock instead of RCU, protecting against partially initialized objects with refcount_inc_not_zero(), and ensuring the reference count is set only after the srq is fully initialized.

Impact Analysis

This vulnerability can lead to system crashes or instability in environments using the affected Linux kernel RDMA mlx4 driver. If an event is delivered before the srq object is fully initialized, it may cause a crash, potentially disrupting services or applications relying on RDMA functionality.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46181. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart