Vulnerability-Lookup

alsa-2026:25120

Vulnerability from osv_almalinux

Published

2026-06-10 00:00

Modified

2026-06-11 08:42

Summary

Critical: kernel-rt security update

Details

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

kernel: geneve: Fix use-after-free in geneve_find_dev(). (CVE-2025-21858)
kernel: smc: Fix use-after-free in tcp_write_timer_handler() (CVE-2023-53781)
kernel: nbd: defer config unlock in nbd_genl_connect (CVE-2025-68366)
kernel: libceph: prevent potential out-of-bounds reads in handle_auth_done() (CVE-2026-22984)
kernel: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() (CVE-2026-22990)
kernel: netfilter: nf_tables: release flowtable after rcu grace period on error (CVE-2026-23392)
kernel: ALSA: 6fire: fix use-after-free on disconnect (CVE-2026-31581)
kernel: smb: client: fix OOB reads parsing symlink error response (CVE-2026-31613)
kernel: ip6_tunnel: clear skb2->cb[] in ip4ip6_err() (CVE-2026-43037)
kernel: ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() (CVE-2026-43038)
kernel: dlm: validate length in dlm_search_rsb_tree (CVE-2026-43125)
kernel: RDMA/rxe: Fix double free in rxe_srq_from_init (CVE-2026-45852)
kernel: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() (CVE-2026-46181)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:25120	ADVISORY
	https://access.redhat.com/security/cve/CVE-2023-53781	REPORT
	https://access.redhat.com/security/cve/CVE-2025-21858	REPORT
	https://access.redhat.com/security/cve/CVE-2025-68366	REPORT
	https://access.redhat.com/security/cve/CVE-2026-22984	REPORT
	https://access.redhat.com/security/cve/CVE-2026-22990	REPORT
	https://access.redhat.com/security/cve/CVE-2026-23392	REPORT
	https://access.redhat.com/security/cve/CVE-2026-31581	REPORT
	https://access.redhat.com/security/cve/CVE-2026-31613	REPORT
	https://access.redhat.com/security/cve/CVE-2026-43037	REPORT
	https://access.redhat.com/security/cve/CVE-2026-43038	REPORT
	https://access.redhat.com/security/cve/CVE-2026-43125	REPORT
	https://access.redhat.com/security/cve/CVE-2026-45852	REPORT
	https://access.redhat.com/security/cve/CVE-2026-46181	REPORT
	https://bugzilla.redhat.com/2351619	REPORT
	https://bugzilla.redhat.com/2420279	REPORT
	https://bugzilla.redhat.com/2424881	REPORT
	https://bugzilla.redhat.com/2432389	REPORT
	https://bugzilla.redhat.com/2432400	REPORT
	https://bugzilla.redhat.com/2451218	REPORT
	https://bugzilla.redhat.com/2461471	REPORT
	https://bugzilla.redhat.com/2461480	REPORT
	https://bugzilla.redhat.com/2464351	REPORT
	https://bugzilla.redhat.com/2464397	REPORT
	https://bugzilla.redhat.com/2467234	REPORT
	https://bugzilla.redhat.com/2482166	REPORT
	https://bugzilla.redhat.com/2482532	REPORT
	https://errata.almalinux.org/8/ALSA-2026-25120.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.132.1.rt7.473.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.132.1.rt7.473.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt-debug"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.132.1.rt7.473.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt-debug-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.132.1.rt7.473.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt-debug-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.132.1.rt7.473.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt-debug-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.132.1.rt7.473.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt-debug-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.132.1.rt7.473.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.132.1.rt7.473.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.132.1.rt7.473.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.132.1.rt7.473.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.  \n\nSecurity Fix(es):  \n\n  * kernel: geneve: Fix use-after-free in geneve_find_dev(). (CVE-2025-21858)\n  * kernel: smc: Fix use-after-free in tcp_write_timer_handler() (CVE-2023-53781)\n  * kernel: nbd: defer config unlock in nbd_genl_connect (CVE-2025-68366)\n  * kernel: libceph: prevent potential out-of-bounds reads in handle_auth_done() (CVE-2026-22984)\n  * kernel: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() (CVE-2026-22990)\n  * kernel: netfilter: nf_tables: release flowtable after rcu grace period on error (CVE-2026-23392)\n  * kernel: ALSA: 6fire: fix use-after-free on disconnect (CVE-2026-31581)\n  * kernel: smb: client: fix OOB reads parsing symlink error response (CVE-2026-31613)\n  * kernel: ip6_tunnel: clear skb2-\u003ecb[] in ip4ip6_err() (CVE-2026-43037)\n  * kernel: ipv6: icmp: clear skb2-\u003ecb[] in ip6_err_gen_icmpv6_unreach() (CVE-2026-43038)\n  * kernel: dlm: validate length in dlm_search_rsb_tree (CVE-2026-43125)\n  * kernel: RDMA/rxe: Fix double free in rxe_srq_from_init (CVE-2026-45852)\n  * kernel: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() (CVE-2026-46181)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:25120",
  "modified": "2026-06-11T08:42:31Z",
  "published": "2026-06-10T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:25120"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-53781"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-21858"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-68366"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-22984"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-22990"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-23392"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-31581"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-31613"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-43037"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-43038"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-43125"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-45852"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-46181"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2351619"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2420279"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2424881"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2432389"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2432400"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2451218"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2461471"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2461480"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2464351"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2464397"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2467234"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2482166"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2482532"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2026-25120.html"
    }
  ],
  "related": [
    "CVE-2025-21858",
    "CVE-2023-53781",
    "CVE-2025-68366",
    "CVE-2026-22984",
    "CVE-2026-22990",
    "CVE-2026-23392",
    "CVE-2026-31581",
    "CVE-2026-31613",
    "CVE-2026-43037",
    "CVE-2026-43038",
    "CVE-2026-43125",
    "CVE-2026-45852",
    "CVE-2026-46181"
  ],
  "summary": "Critical: kernel-rt security update"
}

CVE-2026-43125 (GCVE-0-2026-43125)

Vulnerability from cvelistv5 – Published: 2026-05-06 11:27 – Updated: 2026-05-11 22:18

Title

dlm: validate length in dlm_search_rsb_tree

Summary

In the Linux kernel, the following vulnerability has been resolved: dlm: validate length in dlm_search_rsb_tree The len parameter in dlm_dump_rsb_name() is not validated and comes from network messages. When it exceeds DLM_RESNAME_MAXLEN, it can cause out-of-bounds write in dlm_search_rsb_tree(). Add length validation to prevent potential buffer overflow.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

4 references

URL	Tags
https://git.kernel.org/stable/c/67288113c5e6cf9e6…
https://git.kernel.org/stable/c/082083c9fbd99422a…
https://git.kernel.org/stable/c/5f053a2e7209d326c…
https://git.kernel.org/stable/c/080e5563f878c64e6…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 7210cb7a72a22303cdb225bd1aea28697a17bbae , < 67288113c5e6cf9e659b4065c0ed6f16100e0c71 (git) Affected: 7210cb7a72a22303cdb225bd1aea28697a17bbae , < 082083c9fbd99422a0370fe2102144a231c9f5d6 (git) Affected: 7210cb7a72a22303cdb225bd1aea28697a17bbae , < 5f053a2e7209d326cbbc07738fa6d6893d307438 (git) Affected: 7210cb7a72a22303cdb225bd1aea28697a17bbae , < 080e5563f878c64e697b89e7439d730d0daad882 (git)
Linux	Linux	Affected: 3.4 Unaffected: 0 , < 3.4 (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/dlm/lock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "67288113c5e6cf9e659b4065c0ed6f16100e0c71",
              "status": "affected",
              "version": "7210cb7a72a22303cdb225bd1aea28697a17bbae",
              "versionType": "git"
            },
            {
              "lessThan": "082083c9fbd99422a0370fe2102144a231c9f5d6",
              "status": "affected",
              "version": "7210cb7a72a22303cdb225bd1aea28697a17bbae",
              "versionType": "git"
            },
            {
              "lessThan": "5f053a2e7209d326cbbc07738fa6d6893d307438",
              "status": "affected",
              "version": "7210cb7a72a22303cdb225bd1aea28697a17bbae",
              "versionType": "git"
            },
            {
              "lessThan": "080e5563f878c64e697b89e7439d730d0daad882",
              "status": "affected",
              "version": "7210cb7a72a22303cdb225bd1aea28697a17bbae",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/dlm/lock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.4"
            },
            {
              "lessThan": "3.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.16",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.6",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndlm: validate length in dlm_search_rsb_tree\n\nThe len parameter in dlm_dump_rsb_name() is not validated and comes\nfrom network messages. When it exceeds DLM_RESNAME_MAXLEN, it can\ncause out-of-bounds write in dlm_search_rsb_tree().\n\nAdd length validation to prevent potential buffer overflow."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:18:14.426Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/67288113c5e6cf9e659b4065c0ed6f16100e0c71"
        },
        {
          "url": "https://git.kernel.org/stable/c/082083c9fbd99422a0370fe2102144a231c9f5d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/5f053a2e7209d326cbbc07738fa6d6893d307438"
        },
        {
          "url": "https://git.kernel.org/stable/c/080e5563f878c64e697b89e7439d730d0daad882"
        }
      ],
      "title": "dlm: validate length in dlm_search_rsb_tree",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43125",
    "datePublished": "2026-05-06T11:27:10.903Z",
    "dateReserved": "2026-05-01T14:12:55.988Z",
    "dateUpdated": "2026-05-11T22:18:14.426Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45852 (GCVE-0-2026-45852)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:15 – Updated: 2026-05-30 10:45

Title

RDMA/rxe: Fix double free in rxe_srq_from_init

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix double free in rxe_srq_from_init In rxe_srq_from_init(), the queue pointer 'q' is assigned to 'srq->rq.queue' before copying the SRQ number to user space. If copy_to_user() fails, the function calls rxe_queue_cleanup() to free the queue, but leaves the now-invalid pointer in 'srq->rq.queue'. The caller of rxe_srq_from_init() (rxe_create_srq) eventually calls rxe_srq_cleanup() upon receiving the error, which triggers a second rxe_queue_cleanup() on the same memory, leading to a double free. The call trace looks like this: kmem_cache_free+0x.../0x... rxe_queue_cleanup+0x1a/0x30 [rdma_rxe] rxe_srq_cleanup+0x42/0x60 [rdma_rxe] rxe_elem_release+0x31/0x70 [rdma_rxe] rxe_create_srq+0x12b/0x1a0 [rdma_rxe] ib_create_srq_user+0x9a/0x150 [ib_core] Fix this by moving 'srq->rq.queue = q' after copy_to_user.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/22b8c23a3b92d0236…
https://git.kernel.org/stable/c/af595624301891813…
https://git.kernel.org/stable/c/d286f0d4e3ad3caf5…
https://git.kernel.org/stable/c/26793db60925df1e8…
https://git.kernel.org/stable/c/ce6f8e007682f3782…
https://git.kernel.org/stable/c/5c07aef09a121a4cd…
https://git.kernel.org/stable/c/26a9cfe12f4ffdeaa…
https://git.kernel.org/stable/c/0beefd0e15d962f49…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: aae0484e15f062ad2c2502e68e15dfb8b8f84608 , < 22b8c23a3b92d023614bb00896fe364b2c1a31d3 (git) Affected: aae0484e15f062ad2c2502e68e15dfb8b8f84608 , < af5956243018918130d52c9f671efdb40bab3366 (git) Affected: aae0484e15f062ad2c2502e68e15dfb8b8f84608 , < d286f0d4e3ad3caf5f0e673cdad7bf89bf37d947 (git) Affected: aae0484e15f062ad2c2502e68e15dfb8b8f84608 , < 26793db60925df1e88a29466813d586cbc190b8c (git) Affected: aae0484e15f062ad2c2502e68e15dfb8b8f84608 , < ce6f8e007682f378279d4cf83b240f12d52c723b (git) Affected: aae0484e15f062ad2c2502e68e15dfb8b8f84608 , < 5c07aef09a121a4cd622a71eb0753a9e135c84a8 (git) Affected: aae0484e15f062ad2c2502e68e15dfb8b8f84608 , < 26a9cfe12f4ffdeaa136f252478986fa5f397ddc (git) Affected: aae0484e15f062ad2c2502e68e15dfb8b8f84608 , < 0beefd0e15d962f497aad750b2d5e9c3570b66d1 (git) Affected: 350703fae672d4d649c3562c199eab5ec9dc7c79 (git) Affected: 4.19.86 , < 4.20 (semver)
Linux	Linux	Affected: 4.20 Unaffected: 0 , < 4.20 (semver) Unaffected: 5.10.252 , ≤ 5.10.* (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe_srq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "22b8c23a3b92d023614bb00896fe364b2c1a31d3",
              "status": "affected",
              "version": "aae0484e15f062ad2c2502e68e15dfb8b8f84608",
              "versionType": "git"
            },
            {
              "lessThan": "af5956243018918130d52c9f671efdb40bab3366",
              "status": "affected",
              "version": "aae0484e15f062ad2c2502e68e15dfb8b8f84608",
              "versionType": "git"
            },
            {
              "lessThan": "d286f0d4e3ad3caf5f0e673cdad7bf89bf37d947",
              "status": "affected",
              "version": "aae0484e15f062ad2c2502e68e15dfb8b8f84608",
              "versionType": "git"
            },
            {
              "lessThan": "26793db60925df1e88a29466813d586cbc190b8c",
              "status": "affected",
              "version": "aae0484e15f062ad2c2502e68e15dfb8b8f84608",
              "versionType": "git"
            },
            {
              "lessThan": "ce6f8e007682f378279d4cf83b240f12d52c723b",
              "status": "affected",
              "version": "aae0484e15f062ad2c2502e68e15dfb8b8f84608",
              "versionType": "git"
            },
            {
              "lessThan": "5c07aef09a121a4cd622a71eb0753a9e135c84a8",
              "status": "affected",
              "version": "aae0484e15f062ad2c2502e68e15dfb8b8f84608",
              "versionType": "git"
            },
            {
              "lessThan": "26a9cfe12f4ffdeaa136f252478986fa5f397ddc",
              "status": "affected",
              "version": "aae0484e15f062ad2c2502e68e15dfb8b8f84608",
              "versionType": "git"
            },
            {
              "lessThan": "0beefd0e15d962f497aad750b2d5e9c3570b66d1",
              "status": "affected",
              "version": "aae0484e15f062ad2c2502e68e15dfb8b8f84608",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "350703fae672d4d649c3562c199eab5ec9dc7c79",
              "versionType": "git"
            },
            {
              "lessThan": "4.20",
              "status": "affected",
              "version": "4.19.86",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe_srq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.252",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.202",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.252",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.202",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.165",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.128",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.14",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.4",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.86",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix double free in rxe_srq_from_init\n\nIn rxe_srq_from_init(), the queue pointer \u0027q\u0027 is assigned to\n\u0027srq-\u003erq.queue\u0027 before copying the SRQ number to user space.\nIf copy_to_user() fails, the function calls rxe_queue_cleanup()\nto free the queue, but leaves the now-invalid pointer in\n\u0027srq-\u003erq.queue\u0027.\n\nThe caller of rxe_srq_from_init() (rxe_create_srq) eventually\ncalls rxe_srq_cleanup() upon receiving the error, which triggers\na second rxe_queue_cleanup() on the same memory, leading to a\ndouble free.\n\nThe call trace looks like this:\n   kmem_cache_free+0x.../0x...\n   rxe_queue_cleanup+0x1a/0x30 [rdma_rxe]\n   rxe_srq_cleanup+0x42/0x60 [rdma_rxe]\n   rxe_elem_release+0x31/0x70 [rdma_rxe]\n   rxe_create_srq+0x12b/0x1a0 [rdma_rxe]\n   ib_create_srq_user+0x9a/0x150 [ib_core]\n\nFix this by moving \u0027srq-\u003erq.queue = q\u0027 after copy_to_user."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-30T10:45:31.506Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/22b8c23a3b92d023614bb00896fe364b2c1a31d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/af5956243018918130d52c9f671efdb40bab3366"
        },
        {
          "url": "https://git.kernel.org/stable/c/d286f0d4e3ad3caf5f0e673cdad7bf89bf37d947"
        },
        {
          "url": "https://git.kernel.org/stable/c/26793db60925df1e88a29466813d586cbc190b8c"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce6f8e007682f378279d4cf83b240f12d52c723b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c07aef09a121a4cd622a71eb0753a9e135c84a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/26a9cfe12f4ffdeaa136f252478986fa5f397ddc"
        },
        {
          "url": "https://git.kernel.org/stable/c/0beefd0e15d962f497aad750b2d5e9c3570b66d1"
        }
      ],
      "title": "RDMA/rxe: Fix double free in rxe_srq_from_init",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45852",
    "datePublished": "2026-05-27T12:15:26.084Z",
    "dateReserved": "2026-05-13T15:03:33.079Z",
    "dateUpdated": "2026-05-30T10:45:31.506Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46181 (GCVE-0-2026-46181)

Vulnerability from cvelistv5 – Published: 2026-05-28 09:36 – Updated: 2026-05-30 10:48

Title

RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing. Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

3 references

URL	Tags
https://git.kernel.org/stable/c/1e2a44875b6afb4ad…
https://git.kernel.org/stable/c/8b7833f3bce35cb0d…
https://git.kernel.org/stable/c/c9341307ea16b9395…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 30353bfc43a1602c020f31d95cf27182ffd23824 , < 1e2a44875b6afb4add1115f7f3351dcbeb6f273d (git) Affected: 30353bfc43a1602c020f31d95cf27182ffd23824 , < 8b7833f3bce35cb0d01c1503781523c099c675f0 (git) Affected: 30353bfc43a1602c020f31d95cf27182ffd23824 , < c9341307ea16b9395c2e4c9c94d8499d91fe31d0 (git)
Linux	Linux	Affected: 4.9 Unaffected: 0 , < 4.9 (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx4/srq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1e2a44875b6afb4add1115f7f3351dcbeb6f273d",
              "status": "affected",
              "version": "30353bfc43a1602c020f31d95cf27182ffd23824",
              "versionType": "git"
            },
            {
              "lessThan": "8b7833f3bce35cb0d01c1503781523c099c675f0",
              "status": "affected",
              "version": "30353bfc43a1602c020f31d95cf27182ffd23824",
              "versionType": "git"
            },
            {
              "lessThan": "c9341307ea16b9395c2e4c9c94d8499d91fe31d0",
              "status": "affected",
              "version": "30353bfc43a1602c020f31d95cf27182ffd23824",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx4/srq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.9"
            },
            {
              "lessThan": "4.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc3",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()\n\nSashiko points out the radix_tree itself is RCU safe, but nothing ever\nfrees the mlx4_srq struct with RCU, and it isn\u0027t even accessed within the\nRCU critical section. It also will crash if an event is delivered before\nthe srq object is finished initializing.\n\nUse the spinlock since it isn\u0027t easy to make RCU work, use\nrefcount_inc_not_zero() to protect against partially initialized objects,\nand order the refcount_set() to be after the srq is fully initialized."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-30T10:48:49.289Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1e2a44875b6afb4add1115f7f3351dcbeb6f273d"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b7833f3bce35cb0d01c1503781523c099c675f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9341307ea16b9395c2e4c9c94d8499d91fe31d0"
        }
      ],
      "title": "RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46181",
    "datePublished": "2026-05-28T09:36:34.706Z",
    "dateReserved": "2026-05-13T15:03:33.103Z",
    "dateUpdated": "2026-05-30T10:48:49.289Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

alsa-2026:25120

Vulnerability from osv_almalinux

CVE-2026-43125 (GCVE-0-2026-43125)

CVE-2026-45852 (GCVE-0-2026-45852)

CVE-2026-46181 (GCVE-0-2026-46181)

Tags

Sightings

Nomenclature