CVE-2026-45907 Linux CVE debrief

Who should care

Organizations running Linux systems with Mellanox ConnectX network adapters using the mlx5e driver, particularly those relying on devlink health reporter functionality for automatic recovery from network errors. Cloud providers and data center operators with high-availability networking requirements should prioritize this fix to prevent potential deadlocks that could impact network availability.

Technical summary

The mlx5e (Mellanox ConnectX Ethernet) driver in the Linux kernel contains a lock ordering violation that can trigger deadlocks during health reporter recovery. The vulnerability exists in four recovery paths: mlx5e_reporter_tx_err_cqe, mlx5e_reporter_rx_timeout, mlx5e_reporter_tx_ptpsq_unhealthy, and mlx5e_reporter_tx_timeout. The incorrect ordering occurs when work handlers acquire netdev_lock then subsequently acquire devlink_lock through devlink_health_report, violating the established probe-time lock hierarchy. The fix moves netdev_trylock acquisition from work handlers into the specific recovery functions, ensuring devlink_lock is acquired before netdev_lock when needed.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable branches when available
• Monitor vendor security advisories for distribution-specific updates
• Review systems using Mellanox ConnectX-4/5/6 adapters with mlx5e driver
• Consider scheduling maintenance windows for kernel updates on affected high-availability networking systems
• Verify lockdep debugging is enabled in test environments to detect similar lock ordering issues

Evidence notes

CVE published 2026-05-27. Kernel commit references confirm fix in stable branches. No CVSS score assigned by NVD at time of disclosure.

Official resources