CVE-2026-46265: RDMA/hns: Fix WQ_MEM_RECLAIM warning
In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix WQ_MEM_RECLAIM warning When sunrpc is used, if a reset triggered, our wq may lead the following trace: workqueue: WQ_MEM_RECLAIM xprtiod:xprt_rdma_connect_worker [rpcrdma] is flushing !WQ_MEM_RECLAIM hns_roce_irq_workq:flush_work_handle [hns_roce_hw_v2] WARNING: CPU: 0 PID: 8250 at kernel/workqueue.c:2644 check_flush_dependency+0xe0/0x144 Call trace: check_flush_dependency+0xe0/0x144 start_flush_work.constprop.0+0x1d0/0x2f0 __flush_work.isra.0+0x40/0xb0 flush_work+0x14/0x30 hns_roce_v2_destroy_qp+0xac/0x1e0 [hns_roce_hw_v2] ib_destroy_qp_user+0x9c/0x2b4 rdma_destroy_qp+0x34/0xb0 rpcrdma_ep_destroy+0x28/0xcc [rpcrdma] rpcrdma_ep_put+0x74/0xb4 [rpcrdma] rpcrdma_xprt_disconnect+0x1d8/0x260 [rpcrdma] xprt_rdma_connect_worker+0xc0/0x120 [rpcrdma] process_one_work+0x1cc/0x4d0 worker_thread+0x154/0x414 kthread+0x104/0x144 ret_from_fork+0x10/0x18 Since QP destruction frees memory, this wq should have the WQ_MEM_RECLAIM.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
HarborGuard Analysis
Synopsis
This is a denial-of-service vulnerability in the Linux kernel's RDMA/hns driver, reachable over the network without any authentication. When the sunrpc subsystem uses RDMA and a queue-pair reset is triggered, the hns_roce_hw_v2 workqueue flushes work from an incompatible WQ_MEM_RECLAIM context, producing a kernel WARNING that can disrupt normal operation. Successful exploitation allows a remote attacker to cause a service disruption on systems using this driver. A patched-image rebuild at the fix commits (including stable branch 6.1.165) is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-46265 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the affected kernel or driver packages.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and weighting that score against each environment's compliance policy to determine urgency. Triage routing is available to direct findings to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild targeting the fix commits (including Linux stable 6.1.165) is available on HarborGuard for any environment running an affected kernel version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerability is reachable over the network; an attacker must be able to send traffic to the affected service to trigger the RDMA reset path.
- AuthenticationNot required
No authentication is needed to reach the vulnerable code path; the CVSS vector specifies PR:N.
- Victim interactionNot required
No user or administrator action is required to trigger exploitation; the vulnerable condition arises from normal RDMA traffic handling.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or special environmental configuration.
Blast Radius
- A successful attacker causes the kernel to emit a WARNING from the workqueue dependency check, which can halt or destabilize the affected workqueue.
- The hns_roce_hw_v2 workqueue responsible for handling RDMA queue-pair teardown is disrupted, interrupting QP destruction and associated memory reclaim.
- Network-attached storage or RPC workloads running over RDMA (such as NFS or sunrpc clients) lose connectivity due to the failed reset handling.
- System availability is degraded; in the worst case the kernel panic or lockup path is reached, taking down the affected node.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-46265 is active the moment the CVE enters upstream feeds, with image matching running across all connected registries. For environments running an affected Linux kernel version, a patched-image rebuild at the upstream fix commits (including stable branch 6.1.165) is available. Where compliance policy permits auto-remediation, HarborGuard can trigger a rebuild, execute the configured regression-test suite, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments that cannot immediately update the kernel, consider isolating hosts running hns_roce_hw_v2 at the network-policy layer to restrict which workloads can initiate RDMA connections, reducing exposure until the patched kernel is deployed.
Fix available
- Linux / Linux< 12761bd0ae16a80f237c2a65ab1b1064076cc74a (from ffd541d45726341c1830ff595fd7352b6d1cfbcd) · < 70a5eb757ace5bd627a36f04d871eaf85def424d (from ffd541d45726341c1830ff595fd7352b6d1cfbcd) · < 562c96b1393da2df3ea62173c84117b39da353b9 (from ffd541d45726341c1830ff595fd7352b6d1cfbcd) · < 0cbec8b49270f3f0600b8e3ef5e8f0d233dcea27 (from ffd541d45726341c1830ff595fd7352b6d1cfbcd) · < c5ef9a1bcf5b597695d9c2e6ac452e9f89521862 (from ffd541d45726341c1830ff595fd7352b6d1cfbcd) · < c0a26bbd3f99b7b03f072e3409aff4e6ec8af6f6 (from ffd541d45726341c1830ff595fd7352b6d1cfbcd)
- Linux / Linux5.7Fixed in 0, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H