CVE-2026-45852 Linux CVE debrief

Who should care

Linux kernel maintainers, HPC/AI infrastructure operators utilizing RDMA over Converged Ethernet (RoCE), cloud providers offering RDMA-enabled instances, and security teams monitoring kernel memory integrity

Technical summary

The vulnerability resides in `drivers/infiniband/sw/rxe/rxe_srq.c` within the `rxe_srq_from_init()` function. The problematic code pattern assigns `srq->rq.queue = q` prior to the user-space copy operation. Upon `copy_to_user()` failure, the error path calls `rxe_queue_cleanup(q)`, freeing the queue memory. However, `srq->rq.queue` retains the now-dangling pointer. The calling function `rxe_create_srq()` detects the error and invokes `rxe_srq_cleanup()`, which internally calls `rxe_queue_cleanup(srq->rq.queue)`—the same memory region previously freed. This results in a use-after-free leading to double-free, corrupting the kernel's `kmem_cache` allocator state. The resolution ensures pointer assignment occurs only after confirmed successful user-space data transfer, eliminating the stale pointer condition.

Defensive priority

high

Recommended defensive actions

• Apply kernel patches from stable branches as referenced in official CVE sources
• Prioritize patching systems utilizing RDMA/rxe (Soft-RoCE) functionality
• Monitor kernel logs for kmem_cache_free or rxe_queue_cleanup anomalies indicating potential exploitation attempts
• Validate kernel version against patched releases in stable trees

Evidence notes

Vulnerability description and fix details sourced from official CVE record and NVD entry. Multiple kernel.org stable tree commits provided as references.

Official resources