CVE-2026-45852

Severity CVSS v4.0:
Pending analysis
Type:
CWE-415 Double Free
Publication date:
27/05/2026
Last modified:
07/07/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/rxe: Fix double free in rxe_srq_from_init<br /> <br /> In rxe_srq_from_init(), the queue pointer &amp;#39;q&amp;#39; is assigned to<br /> &amp;#39;srq-&gt;rq.queue&amp;#39; before copying the SRQ number to user space.<br /> If copy_to_user() fails, the function calls rxe_queue_cleanup()<br /> to free the queue, but leaves the now-invalid pointer in<br /> &amp;#39;srq-&gt;rq.queue&amp;#39;.<br /> <br /> The caller of rxe_srq_from_init() (rxe_create_srq) eventually<br /> calls rxe_srq_cleanup() upon receiving the error, which triggers<br /> a second rxe_queue_cleanup() on the same memory, leading to a<br /> double free.<br /> <br /> The call trace looks like this:<br /> kmem_cache_free+0x.../0x...<br /> rxe_queue_cleanup+0x1a/0x30 [rdma_rxe]<br /> rxe_srq_cleanup+0x42/0x60 [rdma_rxe]<br /> rxe_elem_release+0x31/0x70 [rdma_rxe]<br /> rxe_create_srq+0x12b/0x1a0 [rdma_rxe]<br /> ib_create_srq_user+0x9a/0x150 [ib_core]<br /> <br /> Fix this by moving &amp;#39;srq-&gt;rq.queue = q&amp;#39; after copy_to_user.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.19.86 (including) 5.10.259 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.210 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.176 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.128 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.75 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.18.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 6.19.4 (excluding)