CVE-2026-46181
Modified Modified - Updated After Analysis

Race Condition in Linux Kernel RDMA/mlx4 SRQ Event Handling

Vulnerability report for CVE-2026-46181, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-28

Last updated on: 2026-07-07

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing. Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-28
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-05-28
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.19 (inc) to 7.0.7 (exc)
linux linux_kernel From 4.9 (inc) to 6.18.30 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-366 If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is related to the Linux kernel's RDMA mlx4 driver, specifically in the mlx4_srq_event() function. The issue arises from improper use of Read-Copy-Update (RCU) synchronization. Although the radix_tree data structure is RCU safe, the mlx4_srq struct is not freed using RCU and is not accessed within an RCU critical section. This can cause a crash if an event is delivered before the srq object has finished initializing. The fix involves using a spinlock instead of RCU, protecting against partially initialized objects with refcount_inc_not_zero(), and ensuring the reference count is set only after the srq is fully initialized.

Impact Analysis

This vulnerability can lead to system crashes or instability in environments using the affected Linux kernel RDMA mlx4 driver. If an event is delivered before the srq object is fully initialized, it may cause a crash, potentially disrupting services or applications relying on RDMA functionality.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46181. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart