CVE-2026-46084 Linux CVE debrief

Who should care

Organizations running Linux kernels with MANA (Microsoft Azure Network Adapter) RDMA support, particularly those using DPDK with RSS QPs on Azure VMs. Cloud operators and kernel maintainers responsible for stable branch backports.

Technical summary

The mana_ib_destroy_qp_rss() function in the Linux kernel's RDMA/mana_ib driver destroys RX WQ objects without first disabling vPort RX steering in firmware. This leaves stale steering configuration that continues to reference destroyed RX objects. If traffic arrives while the VF interface is down and the interface is subsequently brought up via mana_open(), the firmware may deliver completions using stale CQ IDs from the old RX objects. These CQ IDs can be reused by the ethernet driver for new TX CQs, causing RX completions to land on TX CQs and triggering warnings in mana_poll_tx_cq() (is_sq == false) and mana_gd_process_eq_events() (cq_table lookup fails). The fix introduces mana_disable_vport_rx() in mana_en, exported for use by mana_ib, to disable RX steering before WQ destruction. The mana_fence_rqs() approach is unsuitable here because fence completions are delivered on CQs polled by user-mode (e.g., DPDK) and are not visible to the kernel driver.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable branches when available
• Monitor NVD for CVSS scoring updates
• Review DPDK deployments using MANA RDMA for exposure
• Validate VF interface bring-up procedures include proper QP cleanup

Evidence notes

CVE published 2026-05-27. Kernel commit references provided for stable branches. No CVSS score or severity assigned by NVD at time of disclosure.

Official resources