CVE-2026-46084
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
27/05/2026
Last modified:
24/06/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
RDMA/mana_ib: Disable RX steering on RSS QP destroy<br />
<br />
When an RSS QP is destroyed (e.g. DPDK exit), mana_ib_destroy_qp_rss()<br />
destroys the RX WQ objects but does not disable vPort RX steering in<br />
firmware. This leaves stale steering configuration that still points to<br />
the destroyed RX objects.<br />
<br />
If traffic continues to arrive (e.g. peer VM is still transmitting) and<br />
the VF interface is subsequently brought up (mana_open), the firmware<br />
may deliver completions using stale CQ IDs from the old RX objects.<br />
These CQ IDs can be reused by the ethernet driver for new TX CQs,<br />
causing RX completions to land on TX CQs:<br />
<br />
WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana] (is_sq == false)<br />
WARNING: mana_gd_process_eq_events+0x209/0x290 (cq_table lookup fails)<br />
<br />
Fix this by disabling vPort RX steering before destroying RX WQ objects.<br />
Note that mana_fence_rqs() cannot be used here because the fence<br />
completion is delivered on the CQ, which is polled by user-mode (e.g.<br />
DPDK) and not visible to the kernel driver.<br />
<br />
Refactor the disable logic into a shared mana_disable_vport_rx() in<br />
mana_en, exported for use by mana_ib, replacing the duplicate code.<br />
The ethernet driver&#39;s mana_dealloc_queues() is also updated to call<br />
this common function.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.140 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.86 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.27 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 7.0.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/3be5ed233de03b00ae868cfc06e95331d8d9007c
- https://git.kernel.org/stable/c/6a2d6273b6c3581ce7b90ce17b5cbb4efd19438f
- https://git.kernel.org/stable/c/8ba804869382ce307f2a15f5f6f2adfd791f41dc
- https://git.kernel.org/stable/c/dbeb256e8dd87233d891b170c0b32a6466467036
- https://git.kernel.org/stable/c/f1ccc4d500a0b87a5599343fc2f798048836e184



