CVE-2026-45852

HIGH

RDMA/rxe: Fix double free in rxe_srq_from_init

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix double free in rxe_srq_from_init In rxe_srq_from_init(), the queue pointer 'q' is assigned to 'srq->rq.queue' before copying the SRQ number to user space. If copy_to_user() fails, the function calls rxe_queue_cleanup() to free the queue, but leaves the now-invalid pointer in 'srq->rq.queue'. The caller of rxe_srq_from_init() (rxe_create_srq) eventually calls rxe_srq_cleanup() upon receiving the error, which triggers a second rxe_queue_cleanup() on the same memory, leading to a double free. The call trace looks like this: kmem_cache_free+0x.../0x... rxe_queue_cleanup+0x1a/0x30 [rdma_rxe] rxe_srq_cleanup+0x42/0x60 [rdma_rxe] rxe_elem_release+0x31/0x70 [rdma_rxe] rxe_create_srq+0x12b/0x1a0 [rdma_rxe] ib_create_srq_user+0x9a/0x150 [ib_core] Fix this by moving 'srq->rq.queue = q' after copy_to_user.

References (23)

Core 23
Core References

Scores

CVSS v3 7.8
EPSS 0.0018
EPSS Percentile 7.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-415
Status published
Products (34)
linux/Kernel 4.20.0 - 5.10.259linux
linux/Kernel 5.11.0 - 5.15.210linux
linux/Kernel 5.16.0 - 6.1.176linux
linux/Kernel 6.13.0 - 6.18.14linux
linux/Kernel 6.19.0 - 6.19.4linux
linux/Kernel 6.2.0 - 6.6.128linux
linux/Kernel 6.7.0 - 6.12.75linux
Linux/Linux < 4.20
Linux/Linux 350703fae672d4d649c3562c199eab5ec9dc7c79
Linux/Linux 4.19.86 - 4.20
... and 24 more
Published May 27, 2026
Tracked Since May 27, 2026