Home

Description

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix double free in rxe_srq_from_init In rxe_srq_from_init(), the queue pointer 'q' is assigned to 'srq->rq.queue' before copying the SRQ number to user space. If copy_to_user() fails, the function calls rxe_queue_cleanup() to free the queue, but leaves the now-invalid pointer in 'srq->rq.queue'. The caller of rxe_srq_from_init() (rxe_create_srq) eventually calls rxe_srq_cleanup() upon receiving the error, which triggers a second rxe_queue_cleanup() on the same memory, leading to a double free. The call trace looks like this: kmem_cache_free+0x.../0x... rxe_queue_cleanup+0x1a/0x30 [rdma_rxe] rxe_srq_cleanup+0x42/0x60 [rdma_rxe] rxe_elem_release+0x31/0x70 [rdma_rxe] rxe_create_srq+0x12b/0x1a0 [rdma_rxe] ib_create_srq_user+0x9a/0x150 [ib_core] Fix this by moving 'srq->rq.queue = q' after copy_to_user.

PUBLISHED Reserved 2026-05-13 | Published 2026-05-27 | Updated 2026-05-30 | Assigner Linux




HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Product status

Default status
unaffected

aae0484e15f062ad2c2502e68e15dfb8b8f84608 (git) before 22b8c23a3b92d023614bb00896fe364b2c1a31d3
affected

aae0484e15f062ad2c2502e68e15dfb8b8f84608 (git) before af5956243018918130d52c9f671efdb40bab3366
affected

aae0484e15f062ad2c2502e68e15dfb8b8f84608 (git) before d286f0d4e3ad3caf5f0e673cdad7bf89bf37d947
affected

aae0484e15f062ad2c2502e68e15dfb8b8f84608 (git) before 26793db60925df1e88a29466813d586cbc190b8c
affected

aae0484e15f062ad2c2502e68e15dfb8b8f84608 (git) before ce6f8e007682f378279d4cf83b240f12d52c723b
affected

aae0484e15f062ad2c2502e68e15dfb8b8f84608 (git) before 5c07aef09a121a4cd622a71eb0753a9e135c84a8
affected

aae0484e15f062ad2c2502e68e15dfb8b8f84608 (git) before 26a9cfe12f4ffdeaa136f252478986fa5f397ddc
affected

aae0484e15f062ad2c2502e68e15dfb8b8f84608 (git) before 0beefd0e15d962f497aad750b2d5e9c3570b66d1
affected

350703fae672d4d649c3562c199eab5ec9dc7c79 (git)
affected

4.19.86 (semver) before 4.20
affected

Default status
affected

4.20
affected

Any version before 4.20
unaffected

5.10.252 (semver)
unaffected

5.15.202 (semver)
unaffected

6.1.165 (semver)
unaffected

6.6.128 (semver)
unaffected

6.12.75 (semver)
unaffected

6.18.14 (semver)
unaffected

6.19.4 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/22b8c23a3b92d023614bb00896fe364b2c1a31d3

git.kernel.org/...c/af5956243018918130d52c9f671efdb40bab3366

git.kernel.org/...c/d286f0d4e3ad3caf5f0e673cdad7bf89bf37d947

git.kernel.org/...c/26793db60925df1e88a29466813d586cbc190b8c

git.kernel.org/...c/ce6f8e007682f378279d4cf83b240f12d52c723b

git.kernel.org/...c/5c07aef09a121a4cd622a71eb0753a9e135c84a8

git.kernel.org/...c/26a9cfe12f4ffdeaa136f252478986fa5f397ddc

git.kernel.org/...c/0beefd0e15d962f497aad750b2d5e9c3570b66d1

cve.org (CVE-2026-45852)

nvd.nist.gov (CVE-2026-45852)

Download JSON