HarborGuard / CVE
Back to search
HIGHCVE-2026-46181Published Modified CNA Linux

CVE-2026-46181: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing. Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A use-after-free and uninitialized-object race condition exists in the Linux kernel's RDMA/mlx4 driver, specifically in the mlx4_srq_event() function. An attacker with a low-privilege local shell on the host can trigger the flaw by racing hardware RDMA events against shared receive queue (SRQ) initialization or teardown, exploiting incorrect RCU locking that fails to protect the mlx4_srq struct. Successful exploitation gives the attacker full read, write, and execution capability over kernel memory. A patched-image rebuild is available on HarborGuard for environments running affected kernel versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle an affected Linux kernel version. Any image whose kernel falls below the fixed commits or release tags (6.18.30, 7.0.7, 7.1-rc3) is flagged immediately.

Available
Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH (v3.1) and is capable of weighting that score against each customer environment's compliance policy to determine urgency. Triage findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at the fix versions (6.18.30, 7.0.7, or 7.1-rc3, as appropriate to the base image) is available on HarborGuard for environments running an affected kernel. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the service is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to trigger the race condition; no administrative rights are needed.

  • Victim interactionNot required

    No user interaction is required; the attacker triggers the vulnerability entirely through their own process.

  • Attack complexityDetail

    Exploit complexity is low: the race condition is reliably triggerable without special memory layout or environmental prerequisites beyond local access.

Blast Radius

  • A successful attacker reads arbitrary kernel memory, exposing credentials, session tokens, and data belonging to any process on the host.
  • A successful attacker writes to arbitrary kernel memory, allowing modification of kernel data structures, process credentials, or persisted data.
  • A successful attacker can achieve kernel-level code execution, giving full control over the host operating system.
  • All containers and workloads sharing the affected kernel on the same host are exposed to compromise.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of ingestion for any image whose kernel version falls below the fixed releases (6.18.30, 7.0.7, 7.1-rc3). For customers who opt into auto-remediation, HarborGuard can rebuild the image at the appropriate patched version, execute a regression-test run, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy or base-image constraints prevent an immediate rebuild, compensating controls such as restricting local user access to RDMA-capable interfaces, applying kernel module loading restrictions, and isolating RDMA workloads via namespace or cgroup policy are worth evaluating while the rebuild is staged.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

01e2a44875b6afb4add1115f7f3351dcbeb6f273d6.18.307.0.77.1-rc38b7833f3bce35cb0d01c1503781523c099c675f0c9341307ea16b9395c2e4c9c94d8499d91fe31d0
Affected packages
  • Linux / Linux
    < 1e2a44875b6afb4add1115f7f3351dcbeb6f273d (from 30353bfc43a1602c020f31d95cf27182ffd23824) · < 8b7833f3bce35cb0d01c1503781523c099c675f0 (from 30353bfc43a1602c020f31d95cf27182ffd23824) · < c9341307ea16b9395c2e4c9c94d8499d91fe31d0 (from 30353bfc43a1602c020f31d95cf27182ffd23824)
  • Linux / Linux
    4.9
    Fixed in 0, 6.18.30, 7.0.7, 7.1-rc3
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References