HIGH
rdma CqTable Corruption
CVE-2026-46117
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.6HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel. Just reject it outright and fail the QP creation.
02KernelScan AI Analysis
Risk summary
Local attackers with access to the MANA RDMA verbs API can corrupt kernel memory by creating RSS work queues that share the same completion queue. This can lead to kernel crashes or potential privilege escalation through memory corruption. Systems using Microsoft Azure Network Adapter (MANA) RDMA functionality are affected.
Vulnerability analysis
The vulnerability exists in the MANA RDMA driver's completion queue management during RSS QP creation. The original code used WARN_ON() to detect when userspace attempted to create work queues sharing the same completion queue, but this warning did not prevent the operation and led to kernel memory corruption when the condition was met. The fix replaces the warning with proper input validation that rejects the invalid configuration with -EINVAL, preventing the memory corruption. The attack surface is local and requires access to the MANA RDMA uAPI.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.91 | 9cc0c6b1ba8c |
| 6.18 | 6.18.30 | 9ef65af26b2a |
| 7.0 | 7.0.7 | db991ba50087 |
| mainline | 7.1-rc3 | 159f2efabc89 |