PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46181 Linux CVE debrief

A race condition vulnerability in the Linux kernel's RDMA/mlx4 driver could allow system crashes due to improper synchronization during Shared Receive Queue (SRQ) event handling. The flaw stems from incorrect use of RCU (Read-Copy-Update) synchronization in mlx4_srq_event(), where the SRQ structure was accessed without adequate protection against partially initialized objects. The vulnerability could be triggered if an RDMA event is delivered before SRQ initialization completes, leading to a use-before-initialization condition. The fix replaces RCU with a spinlock for proper synchronization and introduces refcount_inc_not_zero() to prevent access to incompletely initialized SRQ structures, with careful ordering to ensure refcount_set() occurs only after full initialization.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

Organizations running Linux systems with Mellanox ConnectX-3 or earlier InfiniBand/Ethernet adapters utilizing RDMA Shared Receive Queues; cloud providers offering RDMA-enabled instances; HPC clusters using mlx4-based interconnects; kernel maintainers and distribution security teams tracking RDMA subsystem fixes

Technical summary

The mlx4_srq_event() function in the Linux kernel's RDMA/mlx4 driver incorrectly used RCU synchronization for accessing SRQ (Shared Receive Queue) structures. While the radix_tree lookup is RCU-safe, the mlx4_srq structure itself lacks RCU-managed freeing, and the code accessed the structure outside any RCU critical section. More critically, no mechanism prevented event delivery from racing with SRQ initialization, potentially dereferencing a partially initialized structure. The resolution replaces RCU with a spinlock for mutual exclusion, adds refcount_inc_not_zero() to detect and reject accesses to uninitialized objects, and reorders initialization to ensure refcount_set() follows complete SRQ setup. This eliminates the crash vector while maintaining correct reference counting for SRQ lifecycle management.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates containing the referenced commits when available from your Linux distribution
  • For systems using Mellanox ConnectX-3 or earlier InfiniBand/Ethernet adapters with SRQ functionality, prioritize kernel patching
  • Monitor NVD for CVSS scoring once analysis is complete
  • Review kernel logs for any historical mlx4_srq-related crashes that may indicate prior exploitation attempts
  • Consider disabling SRQ functionality on affected systems if patching is not immediately feasible and the feature is not required

Evidence notes

The vulnerability description indicates this was a code correctness issue identified during review (attributed to 'Sashiko') rather than an externally reported exploit. The fix involves three commits to stable kernel branches, suggesting backporting to multiple supported kernel versions. The CVSS score is not yet assigned (NVD status: Awaiting Analysis). The vendor identification has low confidence and requires review, though the source code references clearly indicate this is a Linux kernel issue affecting Mellanox mlx4 RDMA driver users.

Official resources

2026-05-28