Bug 2482166 (CVE-2026-45852) - CVE-2026-45852 kernel: RDMA/rxe: Fix double free in rxe_srq_from_init
Summary: CVE-2026-45852 kernel: RDMA/rxe: Fix double free in rxe_srq_from_init
Keywords:
Status: NEW
Alias: CVE-2026-45852
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-27 15:14 UTC by OSIDB Bzimport
Modified: 2026-07-06 14:26 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:25120 0 None None None 2026-06-10 20:00:22 UTC
Red Hat Product Errata RHSA-2026:25121 0 None None None 2026-06-10 21:39:08 UTC
Red Hat Product Errata RHSA-2026:25217 0 None None None 2026-06-11 10:13:36 UTC
Red Hat Product Errata RHSA-2026:27713 0 None None None 2026-06-22 05:01:26 UTC
Red Hat Product Errata RHSA-2026:33899 0 None None None 2026-07-01 00:15:57 UTC
Red Hat Product Errata RHSA-2026:34094 0 None None None 2026-07-01 08:59:12 UTC
Red Hat Product Errata RHSA-2026:35844 0 None None None 2026-07-06 04:20:47 UTC
Red Hat Product Errata RHSA-2026:35863 0 None None None 2026-07-06 04:51:34 UTC
Red Hat Product Errata RHSA-2026:35896 0 None None None 2026-07-06 14:26:48 UTC

Description OSIDB Bzimport 2026-05-27 15:14:26 UTC
In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Fix double free in rxe_srq_from_init

In rxe_srq_from_init(), the queue pointer 'q' is assigned to
'srq->rq.queue' before copying the SRQ number to user space.
If copy_to_user() fails, the function calls rxe_queue_cleanup()
to free the queue, but leaves the now-invalid pointer in
'srq->rq.queue'.

The caller of rxe_srq_from_init() (rxe_create_srq) eventually
calls rxe_srq_cleanup() upon receiving the error, which triggers
a second rxe_queue_cleanup() on the same memory, leading to a
double free.

The call trace looks like this:
   kmem_cache_free+0x.../0x...
   rxe_queue_cleanup+0x1a/0x30 [rdma_rxe]
   rxe_srq_cleanup+0x42/0x60 [rdma_rxe]
   rxe_elem_release+0x31/0x70 [rdma_rxe]
   rxe_create_srq+0x12b/0x1a0 [rdma_rxe]
   ib_create_srq_user+0x9a/0x150 [ib_core]

Fix this by moving 'srq->rq.queue = q' after copy_to_user.

Comment 4 errata-xmlrpc 2026-06-10 20:00:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:25120 https://access.redhat.com/errata/RHSA-2026:25120

Comment 5 errata-xmlrpc 2026-06-10 21:39:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:25121 https://access.redhat.com/errata/RHSA-2026:25121

Comment 6 errata-xmlrpc 2026-06-11 10:13:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:25217 https://access.redhat.com/errata/RHSA-2026:25217

Comment 7 errata-xmlrpc 2026-06-22 05:01:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions

Via RHSA-2026:27713 https://access.redhat.com/errata/RHSA-2026:27713

Comment 8 errata-xmlrpc 2026-07-01 00:15:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On

Via RHSA-2026:33899 https://access.redhat.com/errata/RHSA-2026:33899

Comment 9 errata-xmlrpc 2026-07-01 08:59:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:34094 https://access.redhat.com/errata/RHSA-2026:34094

Comment 10 errata-xmlrpc 2026-07-06 04:20:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:35844 https://access.redhat.com/errata/RHSA-2026:35844

Comment 11 errata-xmlrpc 2026-07-06 04:51:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:35863 https://access.redhat.com/errata/RHSA-2026:35863

Comment 12 errata-xmlrpc 2026-07-06 14:26:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:35896 https://access.redhat.com/errata/RHSA-2026:35896


Note You need to log in before you can comment on or make changes to this bug.