HIGH
rdma UContext DoubleFree
CVE-2026-46189
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.
02KernelScan AI Analysis
Risk summary
Local users with RDMA device access can trigger a double free vulnerability in the VMware PVRDMA driver during user context allocation failures. This can lead to kernel memory corruption and system crashes, with potential for privilege escalation in multi-tenant environments.
Vulnerability analysis
The vulnerability occurs in pvrdma_alloc_ucontext() when ib_copy_to_udata() fails. The error path incorrectly calls pvrdma_uar_free() before pvrdma_dealloc_ucontext(), but pvrdma_dealloc_ucontext() already frees the UAR internally, causing a double free. The fix removes the redundant pvrdma_uar_free() call. Attack surface is local-only, requiring access to RDMA devices, typically available to users in the rdma group on systems with VMware PVRDMA hardware.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | 269967d76933 |
| 5.15 | 5.15.209 | 1df5711121cd |
| 6.1 | 6.1.175 | 3a231c34c5bc |
| 6.12 | 6.12.88 | 45d25e3ec179 |
| 6.18 | 6.18.30 | 0c63333ff97b |
| 6.6 | 6.6.140 | ecc36a82ecfc |
| 7.0 | 7.0.7 | 935ee27d0904 |
| mainline | 7.1-rc3 | e38e86995df2 |