CVE-2026-46084

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
27/05/2026
Last modified:
24/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/mana_ib: Disable RX steering on RSS QP destroy<br /> <br /> When an RSS QP is destroyed (e.g. DPDK exit), mana_ib_destroy_qp_rss()<br /> destroys the RX WQ objects but does not disable vPort RX steering in<br /> firmware. This leaves stale steering configuration that still points to<br /> the destroyed RX objects.<br /> <br /> If traffic continues to arrive (e.g. peer VM is still transmitting) and<br /> the VF interface is subsequently brought up (mana_open), the firmware<br /> may deliver completions using stale CQ IDs from the old RX objects.<br /> These CQ IDs can be reused by the ethernet driver for new TX CQs,<br /> causing RX completions to land on TX CQs:<br /> <br /> WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana] (is_sq == false)<br /> WARNING: mana_gd_process_eq_events+0x209/0x290 (cq_table lookup fails)<br /> <br /> Fix this by disabling vPort RX steering before destroying RX WQ objects.<br /> Note that mana_fence_rqs() cannot be used here because the fence<br /> completion is delivered on the CQ, which is polled by user-mode (e.g.<br /> DPDK) and not visible to the kernel driver.<br /> <br /> Refactor the disable logic into a shared mana_disable_vport_rx() in<br /> mana_en, exported for use by mana_ib, replacing the duplicate code.<br /> The ethernet driver&amp;#39;s mana_dealloc_queues() is also updated to call<br /> this common function.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.140 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.86 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.18.27 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 7.0.4 (excluding)