CVE-2026-45852

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix double free in rxe_srq_from_init In rxe_srq_from_init(), the queue pointer 'q' is assigned to 'srq->rq.queue' before copying the SRQ number to user space. If copy_to_user() fails, the function calls rxe_queue_cleanup() to free the queue, but leaves the now-invalid pointer in 'srq->rq.queue'. The caller of rxe_srq_from_init() (rxe_create_srq) eventually calls rxe_srq_cleanup() upon receiving the error, which triggers a second rxe_queue_cleanup() on the same memory, leading to a double free. The call trace looks like this: kmem_cache_free+0x.../0x... rxe_queue_cleanup+0x1a/0x30 [rdma_rxe] rxe_srq_cleanup+0x42/0x60 [rdma_rxe] rxe_elem_release+0x31/0x70 [rdma_rxe] rxe_create_srq+0x12b/0x1a0 [rdma_rxe] ib_create_srq_user+0x9a/0x150 [ib_core] Fix this by moving 'srq->rq.queue = q' after copy_to_user.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/0beefd0e15d962f497aad750b2d5e9c3570b66d1
https://git.kernel.org/stable/c/22b8c23a3b92d023614bb00896fe364b2c1a31d3
https://git.kernel.org/stable/c/26793db60925df1e88a29466813d586cbc190b8c
https://git.kernel.org/stable/c/26a9cfe12f4ffdeaa136f252478986fa5f397ddc
https://git.kernel.org/stable/c/5c07aef09a121a4cd622a71eb0753a9e135c84a8
https://git.kernel.org/stable/c/af5956243018918130d52c9f671efdb40bab3366
https://git.kernel.org/stable/c/ce6f8e007682f378279d4cf83b240f12d52c723b
https://git.kernel.org/stable/c/d286f0d4e3ad3caf5f0e673cdad7bf89bf37d947

Configurations

No configuration.

History

30 May 2026, 11:17

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8

27 May 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-27 14:16

Updated : 2026-05-30 11:17

NVD link : CVE-2026-45852

Mitre link : CVE-2026-45852

CVE.ORG link : CVE-2026-45852

JSON object : View

Products Affected

No product.

CWE

No CWE.

{"id": "CVE-2026-45852", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-05-27T14:16:57.193", "references": [{"url": "https://git.kernel.org/stable/c/0beefd0e15d962f497aad750b2d5e9c3570b66d1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/22b8c23a3b92d023614bb00896fe364b2c1a31d3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/26793db60925df1e88a29466813d586cbc190b8c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/26a9cfe12f4ffdeaa136f252478986fa5f397ddc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5c07aef09a121a4cd622a71eb0753a9e135c84a8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/af5956243018918130d52c9f671efdb40bab3366", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ce6f8e007682f378279d4cf83b240f12d52c723b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d286f0d4e3ad3caf5f0e673cdad7bf89bf37d947", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix double free in rxe_srq_from_init\n\nIn rxe_srq_from_init(), the queue pointer 'q' is assigned to\n'srq->rq.queue' before copying the SRQ number to user space.\nIf copy_to_user() fails, the function calls rxe_queue_cleanup()\nto free the queue, but leaves the now-invalid pointer in\n'srq->rq.queue'.\n\nThe caller of rxe_srq_from_init() (rxe_create_srq) eventually\ncalls rxe_srq_cleanup() upon receiving the error, which triggers\na second rxe_queue_cleanup() on the same memory, leading to a\ndouble free.\n\nThe call trace looks like this:\n kmem_cache_free+0x.../0x...\n rxe_queue_cleanup+0x1a/0x30 [rdma_rxe]\n rxe_srq_cleanup+0x42/0x60 [rdma_rxe]\n rxe_elem_release+0x31/0x70 [rdma_rxe]\n rxe_create_srq+0x12b/0x1a0 [rdma_rxe]\n ib_create_srq_user+0x9a/0x150 [ib_core]\n\nFix this by moving 'srq->rq.queue = q' after copy_to_user."}], "lastModified": "2026-05-30T11:17:07.020", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}