PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45898 Linux CVE debrief

A use-after-free vulnerability in the Linux kernel's RDMA iWARP Connection Manager (iw_cm) can cause kernel crashes due to workqueue list corruption. The issue stems from commit e1168f0, which changed work submission logic to unconditionally call queue_work() while using a free list of iwcm_work structures. Each queue_work() call queues unique work items, allowing a work handler to process and release an entry back to the free list while the workqueue entry remains queued. Subsequent reuse of the freed structure leads to list corruption in the workqueue logic, triggering a kernel BUG() at lib/list_debug.c:67. The vulnerability was observed during stress testing with ucmatose on Intel E830 in iWARP mode, manifesting as a list_del corruption error and invalid opcode oops. The fix removes the redundant work_list, relying on the workqueue's native handling instead.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Linux systems with RDMA iWARP hardware, particularly Intel E830 adapters or similar iWARP-capable NICs under high-connection workloads. Cloud providers and HPC environments utilizing kernel-based RDMA for low-latency networking. System administrators responsible for kernel stability on RDMA-enabled infrastructure.

Technical summary

The RDMA iWARP Connection Manager (iw_cm) in the Linux kernel contains a use-after-free vulnerability in workqueue handling. The problematic commit e1168f0 introduced unconditional queue_work() calls on iwcm_work structures drawn from a free list. Because each queue_work() invocation treats the work_struct as unique, multiple work items can reference the same logical work. The work handler iterates through work_list until empty, potentially releasing a work entry back to the free list while a workqueue entry remains pending. If the freed structure is reused and reinitialized with INIT_WORK(), subsequent workqueue operations corrupt the linked list, triggering list_del corruption detection and a kernel BUG(). The vulnerability causes system crashes with invalid opcode oops, observed specifically during ucmatose stress testing on Intel E830 iWARP hardware. The resolution removes the custom work_list entirely, delegating workqueue management to the kernel's native workqueue implementation which properly handles duplicate submissions.

Defensive priority

high

Recommended defensive actions

  • Apply kernel patches from stable branches: 6.1.132, 6.6.91, 6.12.28, 6.14.7, or 6.15-rc4 or later
  • Reboot systems after kernel update to ensure patched code is active
  • Monitor kernel logs for list_del corruption errors on systems running iWARP RDMA workloads
  • Prioritize patching on systems running Intel E830 or similar iWARP hardware under stress workloads
  • Review custom RDMA/iwcm code for similar workqueue list management patterns

Evidence notes

Vulnerability description confirms kernel BUG() at lib/list_debug.c:67 with list_del corruption. Issue introduced by commit e1168f0 changing work submission logic. Fix confirmed by kernel.org stable commits removing work_list. Observed during ucmatose stress testing on Intel E830 iWARP.

Official resources

2026-05-27