{"id":"CVE-2026-46176","summary":"RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()\n\nmlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When\nib_create_srq() fails for s1, the error branch destroys s0 but falls\nthrough and unconditionally assigns the freed s0 and the ERR_PTR s1 to\ndevr-\u003es0 and devr-\u003es1.\n\nThis leads to several problems: the lock-free fast path checks\n\"if (devr-\u003es1) return 0;\" and treats the ERR_PTR as already initialised;\nusers in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via\nto_msrq(devr-\u003es0)-\u003emsrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences\nthe ERR_PTR and double-frees s0 on teardown.\n\nFix by adding the same `goto unlock` in the s1 failure path.","modified":"2026-07-15T01:48:57.763188272Z","published":"2026-05-28T09:36:30.398Z","related":["ALSA-2026:30848","ALSA-2026:33685","SUSE-SU-2026:22099-1","SUSE-SU-2026:22108-1","SUSE-SU-2026:22112-1","SUSE-SU-2026:22117-1","SUSE-SU-2026:22127-1","SUSE-SU-2026:22137-1","SUSE-SU-2026:22433-1","SUSE-SU-2026:22458-1","SUSE-SU-2026:2482-1","SUSE-SU-2026:2591-1","openSUSE-SU-2026:10954-1","openSUSE-SU-2026:20965-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46176.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/6fd93142dd1d09000c3750af08270f5792523fe9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a13c2ac4d480b734342c6fbf8249fc48afd675f3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b087913ae88256df66620f7ba0a9776716aeef7e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bc2cf5935b4665172235341163315905197ae91d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c488df06bd552bb8b6e14fa0cfd5ad986c6e9525"},{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46176.json"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:30848"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:33215"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:33685"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:34094"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-46176"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46176.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46176"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2482594"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b6334d2356fc0922ed01457960f74923058a353a"},{"fixed":"a13c2ac4d480b734342c6fbf8249fc48afd675f3"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"5895e70f2e6e8dc67b551ca554d6fcde0a7f0467"},{"fixed":"bc2cf5935b4665172235341163315905197ae91d"},{"fixed":"b087913ae88256df66620f7ba0a9776716aeef7e"},{"fixed":"6fd93142dd1d09000c3750af08270f5792523fe9"},{"fixed":"c488df06bd552bb8b6e14fa0cfd5ad986c6e9525"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6.6.64"},{"fixed":"6.6.140"}]}],"versions":["v6.6.139","v6.6.138","v6.6.137","v6.6.136","v6.6.135","v6.6.134","v6.6.133","v6.6.132","v6.6.131","v6.6.130","v6.6.129","v6.6.128","v6.6.127","v6.6.126","v6.6.125","v6.6.124","v6.6.123","v6.6.122","v6.6.121","v6.6.120","v6.6.119","v6.6.118","v6.6.117","v6.6.116","v6.6.115","v6.6.114","v6.6.113","v6.6.112","v6.6.111","v6.6.110","v6.6.109","v6.6.108","v6.6.107","v6.6.106","v6.6.105","v6.6.104","v6.6.103","v6.6.102","v6.6.101","v6.6.100","v6.6.99","v6.6.98","v6.6.97","v6.6.96","v6.6.95","v6.6.94","v6.6.93","v6.6.92","v6.6.91","v6.6.90","v6.6.89","v6.6.88","v6.6.87","v6.6.86","v6.6.85","v6.6.84","v6.6.83","v6.6.82","v6.6.81","v6.6.80","v6.6.79","v6.6.78","v6.6.77","v6.6.76","v6.6.75","v6.6.74","v6.6.73","v6.6.72","v6.6.71","v6.6.70","v6.6.69","v6.6.68","v6.6.67","v6.6.66","v6.6.65","v6.6.64"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46176.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.140"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.88"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.11.0"},{"fixed":"6.18.30"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"7.0.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46176.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}