HIGH
rdma efa CompletionCtx UAF
CVE-2026-31493
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/efa: Fix use of completion ctx after free On admin queue completion handling, if the admin command completed with error we print data from the completion context. The issue is that we already freed the completion context in polling/interrupts handler which means we print data from context in an unknown state (it might be already used again). Change the admin submission flow so alloc/dealloc of the context will be symmetric and dealloc will be called after any potential use of the context.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in the RDMA/efa driver could allow local attackers to cause system crashes or potentially execute arbitrary code in kernel context. The vulnerability occurs when error handling code accesses freed completion context memory, which may contain attacker-controlled data if the memory has been reallocated.
Vulnerability analysis
Root Cause: In the RDMA/efa admin queue completion handling, the completion context is freed in the polling/interrupt handler before error logging code attempts to access it. When an admin command completes with an error, the code tries to print data from the completion context after it has already been deallocated, leading to access of freed memory that may have been reallocated for other purposes.
Attack Surface: This vulnerability affects local processes that can interact with RDMA/efa devices through the InfiniBand subsystem. It requires local access and the ability to trigger admin queue operations that complete with errors. The bug is in kernel space and could potentially be exploited by unprivileged processes if they can access the RDMA device through appropriate interfaces.
Fix Mechanism: The patch restructures the admin command submission flow to make allocation and deallocation of completion contexts symmetric. Instead of freeing the context in the polling/interrupt handlers, deallocation is moved to after all potential uses of the context are complete. The fix changes function signatures to pass pre-allocated contexts and ensures efa_com_dealloc_comp_ctx() is called at the end of efa_com_cmd_exec() after error handling is finished.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.21 | 0dd98aea1c0c |
| 6.19 | 6.19.11 | 1cf95fe5dc54 |
| mainline | 7.0 | ef3b06742c8a |