HIGH Published 2026-05-06

rdma MemRegion DoubleFree

CVE-2026-43120

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.0HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix double free related to rereg_user_mr If IB_MR_REREG_TRANS is set during rereg_user_mr, the umem will be released and a new one will be allocated in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans fails after the new umem is allocated, it releases the umem, but does not set iwmr->region to NULL. The problem is that this failure is propagated to the user, who will then call ibv_dereg_mr (as they should). Then, the dereg_mr path will see a non-NULL umem and attempt to call ib_umem_release again. Fix this by setting iwmr->region to NULL after ib_umem_release. Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region")

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Systems with Intel RDMA hardware using the irdma driver are vulnerable to kernel memory corruption. When memory region re-registration fails, a double free occurs that can crash the kernel or potentially be exploited for privilege escalation. This affects systems running RDMA workloads with the irdma driver, particularly those that expose the RDMA interface to local users or untrusted workloads.

Affecteddrivers/infiniband/hw/irdma/verbs.c (RDMA irdma driver)

Vulnerability analysis

The vulnerability occurs in the irdma_rereg_mr_trans function when the IB_MR_REREG_TRANS flag is set during memory region re-registration. If the operation fails after allocating a new umem, the code releases the memory with ib_umem_release() but fails to nullify the iwmr->region pointer. When userspace receives the error and calls ibv_dereg_mr(), the kernel's deregistration path sees the stale pointer and attempts to release the same memory again, causing a double free. The fix adds iwmr->region = NULL after the release to prevent the subsequent double free. The bug is reachable from local userspace through the RDMA ibverbs interface.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.83	`66964118f1f5`
6.18	6.18.24	`0f22c32141ac`
6.19	6.19.14	`0c5d70bcb9d2`
6.6	6.6.136	`62298a48f8b8`
mainline	7.0	`29a3edd7004b`