PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46112 Linux CVE debrief

A race condition vulnerability exists in the Linux kernel's RDMA/hns driver where hns_roce_qp_remove() is called without holding required locks during error handling in hns_roce_create_qp_common(). This unlocked access risks memory corruption during queue pair creation failure paths. The fix ensures proper lock acquisition matching other callers' patterns.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

Organizations running Linux systems with RDMA/hns (Hisilicon Network Subsystem) hardware, particularly those utilizing InfiniBand or RDMA over Converged Ethernet (RoCE) on affected platforms.

Technical summary

The hns_roce_create_qp_common() function in the Linux kernel's RDMA/hns driver contains an error handling path that calls hns_roce_qp_remove() without acquiring the locks required by that function's contract. Other callers of hns_roce_qp_remove() properly hold these locks. The missing synchronization during error unwind creates a race condition that can corrupt memory structures. The resolution adds appropriate lock acquisition to the error path, aligning it with the locking discipline used elsewhere in the driver.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates containing the referenced stable commits when available from distribution maintainers
  • Monitor RDMA/hns driver operation for stability issues on affected systems prior to patching
  • Review local kernel build configurations for hns_roce driver usage

Evidence notes

CVE description confirms unlocked call to hns_roce_qp_remove() in error flow; kernel commit references indicate stable branch backports. No CVSS score assigned by NVD at time of disclosure.

Official resources

2026-05-28