CVE-2026-46176 Linux CVE debrief

Who should care

Organizations running Linux systems with Mellanox ConnectX InfiniBand/RDMA adapters; cloud providers offering RDMA-enabled compute instances; HPC cluster administrators; kernel maintainers and distribution security teams

Technical summary

The mlx5_ib_dev_res_srq_init() function in drivers/infiniband/hw/mlx5/devx.c allocates two SRQs for device resource management. The function uses a lock-free fast path that checks devr->s1 to skip re-initialization. In the error path where s1 allocation fails after s0 succeeds, the code destroys s0 via ib_destroy_srq() but lacks a goto statement to exit the critical section. Execution falls through to assignments of devr->s0 = s0 and devr->s1 = s1, storing a dangling pointer and an error pointer respectively. This pollutes device state: the fast-path check devr->s1 != NULL passes (ERR_PTR is non-NULL), causing early return on retry; mlx5_ib_create_qp() dereferences to_msrq(devr->s0)->msrq.srqn triggering use-after-free or invalid access; mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and calls ib_destroy_srq() on the already-freed s0. The fix inserts 'goto unlock' after ib_destroy_srq(s0) in the s1 failure path, ensuring consistent error handling.

Defensive priority

high

Recommended defensive actions

• Apply kernel patches from stable branches when available
• Monitor distribution security advisories for backported fixes
• Review systems using Mellanox ConnectX RDMA adapters for kernel update scheduling
• Validate SRQ initialization error handling in custom RDMA/mlx5 driver modifications

Evidence notes

Vulnerability description and fix details sourced from official CVE record and NVD entry published 2026-05-28. Kernel commit references confirm the affected code path and resolution. No CVSS score or severity rating available at time of publication.

Official resources