Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-45973

Gravedad CVSS v3.1:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
27/05/2026
Última modificación:
16/06/2026

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/mlx5: Fix UMR hang in LAG error state unload<br /> <br /> During firmware reset in LAG mode, a race condition causes the driver<br /> to hang indefinitely while waiting for UMR completion during device<br /> unload. See [1].<br /> <br /> In LAG mode the bond device is only registered on the master, so it<br /> never sees sys_error events from the slave.<br /> During firmware reset this causes UMR waits to hang forever on unload<br /> as the slave is dead but the master hasn&amp;#39;t entered error state yet, so<br /> UMR posts succeed but completions never arrive.<br /> <br /> Fix this by adding a sys_error notifier that gets registered before<br /> MLX5_IB_STAGE_IB_REG and stays alive until after ib_unregister_device().<br /> This ensures error events reach the bond device throughout teardown.<br /> <br /> [1]<br /> Call Trace:<br /> __schedule+0x2bd/0x760<br /> schedule+0x37/0xa0<br /> schedule_preempt_disabled+0xa/0x10<br /> __mutex_lock.isra.6+0x2b5/0x4a0<br /> __mlx5_ib_dereg_mr+0x606/0x870 [mlx5_ib]<br /> ? __xa_erase+0x4a/0xa0<br /> ? _cond_resched+0x15/0x30<br /> ? wait_for_completion+0x31/0x100<br /> ib_dereg_mr_user+0x48/0xc0 [ib_core]<br /> ? rdmacg_uncharge_hierarchy+0xa0/0x100<br /> destroy_hw_idr_uobject+0x20/0x50 [ib_uverbs]<br /> uverbs_destroy_uobject+0x37/0x150 [ib_uverbs]<br /> __uverbs_cleanup_ufile+0xda/0x140 [ib_uverbs]<br /> uverbs_destroy_ufile_hw+0x3a/0xf0 [ib_uverbs]<br /> ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs]<br /> remove_client_context+0x8b/0xd0 [ib_core]<br /> disable_device+0x8c/0x130 [ib_core]<br /> __ib_unregister_device+0x10d/0x180 [ib_core]<br /> ib_unregister_device+0x21/0x30 [ib_core]<br /> __mlx5_ib_remove+0x1e4/0x1f0 [mlx5_ib]<br /> auxiliary_bus_remove+0x1e/0x30<br /> device_release_driver_internal+0x103/0x1f0<br /> bus_remove_device+0xf7/0x170<br /> device_del+0x181/0x410<br /> mlx5_rescan_drivers_locked.part.10+0xa9/0x1d0 [mlx5_core]<br /> mlx5_disable_lag+0x253/0x260 [mlx5_core]<br /> mlx5_lag_disable_change+0x89/0xc0 [mlx5_core]<br /> mlx5_eswitch_disable+0x67/0xa0 [mlx5_core]<br /> mlx5_unload+0x15/0xd0 [mlx5_core]<br /> mlx5_unload_one+0x71/0xc0 [mlx5_core]<br /> mlx5_sync_reset_reload_work+0x83/0x100 [mlx5_core]<br /> process_one_work+0x1a7/0x360<br /> worker_thread+0x30/0x390<br /> ? create_worker+0x1a0/0x1a0<br /> kthread+0x116/0x130<br /> ? kthread_flush_work_fn+0x10/0x10<br /> ret_from_fork+0x22/0x40

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.6.64 (incluyendo) 6.7 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.11.11 (incluyendo) 6.12 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.12.2 (incluyendo) 6.12.75 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (incluyendo) 6.18.14 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (incluyendo) 6.19.4 (excluyendo)