How is CVE-2026-46176 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network exposure is required to reach the vulnerable code path. Authentication (required): Any low-privilege local account is sufficient to trigger the faulty error path in the RDMA driver. Victim interaction (not-required): No user interaction is needed; the attacker can trigger the vulnerability directly without social engineering. Attack complexity (info): The exploit is reliable and condition-free once local access is established; no race conditions or special memory layout requirements are documented.

What is the impact of CVE-2026-46176?

An attacker reads arbitrary kernel memory, including sensitive data such as credentials, keys, or session tokens held in kernel space. An attacker corrupts kernel data structures through the double-free and use-after-free, allowing modification of persisted kernel state or security policy objects. An attacker crashes the affected host by triggering the double-free or dereferencing the ERR_PTR during teardown, causing a kernel panic. In the worst case, the attacker achieves arbitrary kernel code execution by exploiting the freed SRQ or ERR_PTR dereference to redirect kernel control flow.

Back to search

HIGHCVE-2026-46176Published 2026-05-28Modified 2026-05-30CNA Linux

CVE-2026-46176: RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1. This leads to several problems: the lock-free fast path checks "if (devr->s1) return 0;" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown. Fix by adding the same `goto unlock` in the s1 failure path.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A use-after-free and double-free vulnerability exists in the Linux kernel's RDMA/mlx5 driver, specifically in the mlx5_ib_dev_res_srq_init() function. The flaw is reachable locally by an authenticated low-privilege user and, when triggered, allows the attacker to read kernel memory, tamper with kernel data structures, and crash or take control of the affected host. Patched-image rebuilds at the fix versions (6.6.140, 6.12.88, 6.18.30, and commit 6fd93142dd1d) are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Linux kernel security feeds within minutes of publication and matched against customer images, including custom-built images that package an affected kernel or kernel module. Any image whose base layer or installed kernel package falls within the affected version ranges is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH and weights it against each customer environment's compliance policy, escalating findings on production or privileged workloads accordingly. Triage results are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at the fix versions (6.6.140, 6.12.88, 6.18.30, or the equivalent upstream commit) becomes available on HarborGuard once the upstream fix is confirmed in the corresponding package repository. For customers with auto-remediation enabled, HarborGuard rebuilds the affected image, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required to reach the vulnerable code path.
AuthenticationRequired
Any low-privilege local account is sufficient to trigger the faulty error path in the RDMA driver.
Victim interactionNot required
No user interaction is needed; the attacker can trigger the vulnerability directly without social engineering.
Attack complexityDetail
The exploit is reliable and condition-free once local access is established; no race conditions or special memory layout requirements are documented.

Blast Radius

An attacker reads arbitrary kernel memory, including sensitive data such as credentials, keys, or session tokens held in kernel space.
An attacker corrupts kernel data structures through the double-free and use-after-free, allowing modification of persisted kernel state or security policy objects.
An attacker crashes the affected host by triggering the double-free or dereferencing the ERR_PTR during teardown, causing a kernel panic.
In the worst case, the attacker achieves arbitrary kernel code execution by exploiting the freed SRQ or ERR_PTR dereference to redirect kernel control flow.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE ingestion for any image whose kernel package version falls in the affected range, covering both upstream base images and internally built images. For environments running an affected kernel, a patched-image rebuild targeting the fixed versions (6.6.140, 6.12.88, 6.18.30, or commit 6fd93142dd1d) becomes available as soon as the corresponding package repository publishes the fix. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression run, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not yet enabled, the finding is queued in the triage inbox with full CVSS context and affected layer details so engineers can act manually. As a compensating control while a patch is being applied, restricting access to RDMA-capable interfaces via Linux namespace isolation or kernel module unloading (if RDMA is not operationally required) limits exposure to the vulnerable code path.

See how HarborGuard automates this

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: 0
Affected Products: 2

Fix available

06.6.1406.12.886.18.306fd93142dd1d09000c3750af08270f5792523fe97.0.77.1-rc3a13c2ac4d480b734342c6fbf8249fc48afd675f3b087913ae88256df66620f7ba0a9776716aeef7ebc2cf5935b4665172235341163315905197ae91dc488df06bd552bb8b6e14fa0cfd5ad986c6e9525

Affected packages

Linux / Linux
< a13c2ac4d480b734342c6fbf8249fc48afd675f3 (from b6334d2356fc0922ed01457960f74923058a353a) · < bc2cf5935b4665172235341163315905197ae91d (from 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467) · < b087913ae88256df66620f7ba0a9776716aeef7e (from 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467) · < 6fd93142dd1d09000c3750af08270f5792523fe9 (from 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467) · < c488df06bd552bb8b6e14fa0cfd5ad986c6e9525 (from 5895e70f2e6e8dc67b551ca554d6fcde0a7f0467) · < 6.6.140 (from 6.6.64)
Linux / Linux
6.11
Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available