Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-45910

Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-362 Ejecución concurrente utilizando recursos compartidos con una incorrecta sincronización (Condición de carrera)
Fecha de publicación:
27/05/2026
Última modificación:
24/06/2026

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/rxe: Fix race condition in QP timer handlers<br /> <br /> I encontered the following warning:<br /> WARNING: drivers/infiniband/sw/rxe/rxe_task.c:249 at rxe_sched_task+0x1c8/0x238 [rdma_rxe], CPU#0: swapper/0/0<br /> ...<br /> libsha1 [last unloaded: ip6_udp_tunnel]<br /> CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G C 6.19.0-rc5-64k-v8+ #37 PREEMPT<br /> Tainted: [C]=CRAP<br /> Hardware name: Raspberry Pi 4 Model B Rev 1.2<br /> Call trace:<br /> rxe_sched_task+0x1c8/0x238 [rdma_rxe] (P)<br /> retransmit_timer+0x130/0x188 [rdma_rxe]<br /> call_timer_fn+0x68/0x4d0<br /> __run_timers+0x630/0x888<br /> ...<br /> WARNING: drivers/infiniband/sw/rxe/rxe_task.c:38 at rxe_sched_task+0x1c0/0x238 [rdma_rxe], CPU#0: swapper/0/0<br /> ...<br /> WARNING: drivers/infiniband/sw/rxe/rxe_task.c:111 at do_work+0x488/0x5c8 [rdma_rxe], CPU#3: kworker/u17:4/93400<br /> ...<br /> refcount_t: underflow; use-after-free.<br /> WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x138/0x1a0, CPU#3: kworker/u17:4/93400<br /> <br /> The issue is caused by a race condition between retransmit_timer() and<br /> rxe_destroy_qp, leading to the Queue Pair&amp;#39;s (QP) reference count dropping<br /> to zero during timer handler execution.<br /> <br /> It seems this warning is harmless because rxe_qp_do_cleanup() will flush<br /> all pending timers and requests.<br /> <br /> Example of flow causing the issue:<br /> <br /> CPU0 CPU1<br /> retransmit_timer() {<br /> spin_lock_irqsave<br /> rxe_destroy_qp()<br /> __rxe_cleanup()<br /> __rxe_put() // qp-&gt;ref_count decrease to 0<br /> rxe_qp_do_cleanup() {<br /> if (qp-&gt;valid) {<br /> rxe_sched_task() {<br /> WARN_ON(rxe_read(task-&gt;qp) valid = 0<br /> spin_unlock_irqrestore<br /> }<br /> <br /> Ensure the QP&amp;#39;s reference count is maintained and its validity is checked<br /> within the timer callbacks by adding calls to rxe_get(qp) and corresponding<br /> rxe_put(qp) after use.

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.4 (incluyendo) 6.6.128 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (incluyendo) 6.12.75 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (incluyendo) 6.18.14 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (incluyendo) 6.19.4 (excluyendo)