CVE-2026-46181
Race Condition in Linux Kernel RDMA/mlx4 SRQ Event Handling
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is related to the Linux kernel's RDMA mlx4 driver, specifically in the mlx4_srq_event() function. The issue arises from improper use of Read-Copy-Update (RCU) synchronization. Although the radix_tree data structure is RCU safe, the mlx4_srq struct is not freed using RCU and is not accessed within an RCU critical section. This can cause a crash if an event is delivered before the srq object has finished initializing. The fix involves using a spinlock instead of RCU, protecting against partially initialized objects with refcount_inc_not_zero(), and ensuring the reference count is set only after the srq is fully initialized.
How can this vulnerability impact me? :
This vulnerability can lead to system crashes or instability in environments using the affected Linux kernel RDMA mlx4 driver. If an event is delivered before the srq object is fully initialized, it may cause a crash, potentially disrupting services or applications relying on RDMA functionality.