CVE-2026-45852

Summary

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Fix double free in rxe_srq_from_init

In rxe_srq_from_init(), the queue pointer 'q' is assigned to 'srq->rq.queue' before copying the SRQ number to user space. If copy_to_user() fails, the function calls rxe_queue_cleanup() to free the queue, but leaves the now-invalid pointer in 'srq->rq.queue'.

The caller of rxe_srq_from_init() (rxe_create_srq) eventually calls rxe_srq_cleanup() upon receiving the error, which triggers a second rxe_queue_cleanup() on the same memory, leading to a double free.

The call trace looks like this: kmem_cache_free+0x…/0x… rxe_queue_cleanup+0x1a/0x30 [rdma_rxe] rxe_srq_cleanup+0x42/0x60 [rdma_rxe] rxe_elem_release+0x31/0x70 [rdma_rxe] rxe_create_srq+0x12b/0x1a0 [rdma_rxe] ib_create_srq_user+0x9a/0x150 [ib_core]

Fix this by moving 'srq->rq.queue = q' after copy_to_user.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxaae0484e15f062ad2c2502e68e15dfb8b8f84608 < b98ab5494dbd48652561aa0b9c32f10500220745affected
LinuxLinuxaae0484e15f062ad2c2502e68e15dfb8b8f84608 < d493e0bfc748a520c349d6c8791b262aa5ad2e4eaffected
LinuxLinuxaae0484e15f062ad2c2502e68e15dfb8b8f84608 < 9abff51163aa1bc275ec356f74fe976291860a7faffected
LinuxLinuxaae0484e15f062ad2c2502e68e15dfb8b8f84608 < 26793db60925df1e88a29466813d586cbc190b8caffected
LinuxLinuxaae0484e15f062ad2c2502e68e15dfb8b8f84608 < ce6f8e007682f378279d4cf83b240f12d52c723baffected
LinuxLinuxaae0484e15f062ad2c2502e68e15dfb8b8f84608 < 5c07aef09a121a4cd622a71eb0753a9e135c84a8affected
LinuxLinuxaae0484e15f062ad2c2502e68e15dfb8b8f84608 < 26a9cfe12f4ffdeaa136f252478986fa5f397ddcaffected
LinuxLinuxaae0484e15f062ad2c2502e68e15dfb8b8f84608 < 0beefd0e15d962f497aad750b2d5e9c3570b66d1affected
LinuxLinux350703fae672d4d649c3562c199eab5ec9dc7c79affected
LinuxLinux4.19.86 < 4.20affected
LinuxLinux4.20affected
LinuxLinux0 < 4.20unaffected
LinuxLinux5.10.259 <= 5.10.*unaffected
LinuxLinux5.15.210 <= 5.15.*unaffected
LinuxLinux6.1.176 <= 6.1.*unaffected
LinuxLinux6.6.128 <= 6.6.*unaffected
LinuxLinux6.12.75 <= 6.12.*unaffected
LinuxLinux6.18.14 <= 6.18.*unaffected
LinuxLinux6.19.4 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

ADP Enrichment

kernel: RDMA/rxe: Fix double free in rxe_srq_from_init

Additional References

References