HarborGuard / CVE
Back to search
HIGHCVE-2026-46112Published Modified CNA Linux

CVE-2026-46112: RDMA/hns: Fix unlocked call to hns_roce_qp_remove()

In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix unlocked call to hns_roce_qp_remove() Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks. The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory. Grab the same locks the other two callers use.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a missing-lock (race condition leading to memory corruption) vulnerability in the Linux kernel's RDMA/hns driver, which manages HiSilicon RoCE network adapters. The flaw is reachable locally by a low-privileged user and requires no network access; exploitation occurs during an error-unwind path in queue-pair creation that fails to acquire the required locks before calling hns_roce_qp_remove(), leaving shared data structures in a corrupt state. Successful exploitation gives an attacker full read, write, and crash capabilities over the affected kernel subsystem. Patched-image rebuilds at versions 6.6.140 and 6.12.88 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-46112 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built kernel or base images that carry affected Linux kernel versions. Coverage extends to any image layer that packages the affected kernel range, not just official distribution images.

Available
Triage

Triage is available with the CVSS v3.1 score of 7.8 (HIGH) applied automatically, weighted against each environment's compliance policy to determine escalation priority. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at kernel versions 6.6.140 and 6.12.88 becomes available on HarborGuard for any environment running an affected version once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the vulnerability is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to trigger the vulnerable code path; no administrative rights are needed.

  • Victim interactionNot required

    No action from another user or process is required; the attacker can trigger the flaw independently.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race timing, memory-layout knowledge, or special environmental state is required beyond local access.

Blast Radius

  • Reads kernel memory, exposing sensitive data such as credentials, cryptographic material, or other processes' memory contents.
  • Writes to kernel data structures, allowing modification of security controls, process permissions, or persisted state.
  • Corrupts shared kernel memory through the unlocked removal path, which can crash the host or destabilize the RDMA subsystem for all users on the machine.
  • Privilege escalation to root is a realistic outcome given full kernel read and write access.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of publication for any image carrying a Linux kernel version in the affected range, including custom base images. Where compliance policy permits, a rebuilt image at the fixed kernel versions (6.6.140 or 6.12.88) is made available immediately. For customers who opt into auto-remediation, the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes, covering the rebuild, regression run, and PR creation against affected workloads. Customers who cannot immediately update should consider restricting local user access to RDMA device nodes via Linux device-permission policies or seccomp/AppArmor profiles as a compensating control while scheduling the upgrade.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

00c99acbc8b6c6dd526ae475a48ee1897b61072fb1912f78798505dc9c637081bbddfbf1c22494c496.6.1406.12.886.18.30615d9d260c32bb678504ca96f29ae46f9d7451557.0.77.1-rc3fb4ae739811d467409bd07d0e36cfd4140f3d26afcf6a832c0d5b2bc5398d6996c5570d3ee7993fb
Affected packages
  • Linux / Linux
    < fb4ae739811d467409bd07d0e36cfd4140f3d26a (from e088a685eae94a0607b8f7b99949a0e14d748813) · < fcf6a832c0d5b2bc5398d6996c5570d3ee7993fb (from e088a685eae94a0607b8f7b99949a0e14d748813) · < 1912f78798505dc9c637081bbddfbf1c22494c49 (from e088a685eae94a0607b8f7b99949a0e14d748813) · < 615d9d260c32bb678504ca96f29ae46f9d745155 (from e088a685eae94a0607b8f7b99949a0e14d748813) · < 0c99acbc8b6c6dd526ae475a48ee1897b61072fb (from e088a685eae94a0607b8f7b99949a0e14d748813)
  • Linux / Linux
    4.17
    Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References