Linux kernel RDMA/rxe doublefree via rxe_srq_from_init
CVE-2026-45852 Published on May 27, 2026
RDMA/rxe: Fix double free in rxe_srq_from_init
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix double free in rxe_srq_from_init
In rxe_srq_from_init(), the queue pointer 'q' is assigned to
'srq->rq.queue' before copying the SRQ number to user space.
If copy_to_user() fails, the function calls rxe_queue_cleanup()
to free the queue, but leaves the now-invalid pointer in
'srq->rq.queue'.
The caller of rxe_srq_from_init() (rxe_create_srq) eventually
calls rxe_srq_cleanup() upon receiving the error, which triggers
a second rxe_queue_cleanup() on the same memory, leading to a
double free.
The call trace looks like this:
kmem_cache_free+0x.../0x...
rxe_queue_cleanup+0x1a/0x30 [rdma_rxe]
rxe_srq_cleanup+0x42/0x60 [rdma_rxe]
rxe_elem_release+0x31/0x70 [rdma_rxe]
rxe_create_srq+0x12b/0x1a0 [rdma_rxe]
ib_create_srq_user+0x9a/0x150 [ib_core]
Fix this by moving 'srq->rq.queue = q' after copy_to_user.
Vulnerability Analysis
CVE-2026-45852 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Products Associated with CVE-2026-45852
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-45852 are published in these products:
Affected Versions
Linux:- Version aae0484e15f062ad2c2502e68e15dfb8b8f84608 and below b98ab5494dbd48652561aa0b9c32f10500220745 is affected.
- Version aae0484e15f062ad2c2502e68e15dfb8b8f84608 and below d493e0bfc748a520c349d6c8791b262aa5ad2e4e is affected.
- Version aae0484e15f062ad2c2502e68e15dfb8b8f84608 and below 9abff51163aa1bc275ec356f74fe976291860a7f is affected.
- Version aae0484e15f062ad2c2502e68e15dfb8b8f84608 and below 26793db60925df1e88a29466813d586cbc190b8c is affected.
- Version aae0484e15f062ad2c2502e68e15dfb8b8f84608 and below ce6f8e007682f378279d4cf83b240f12d52c723b is affected.
- Version aae0484e15f062ad2c2502e68e15dfb8b8f84608 and below 5c07aef09a121a4cd622a71eb0753a9e135c84a8 is affected.
- Version aae0484e15f062ad2c2502e68e15dfb8b8f84608 and below 26a9cfe12f4ffdeaa136f252478986fa5f397ddc is affected.
- Version aae0484e15f062ad2c2502e68e15dfb8b8f84608 and below 0beefd0e15d962f497aad750b2d5e9c3570b66d1 is affected.
- Version 350703fae672d4d649c3562c199eab5ec9dc7c79 is affected.
- Version 4.19.86 and below 4.20 is affected.
- Version 4.20 is affected.
- Before 4.20 is unaffected.
- Version 5.10.259, <= 5.10.* is unaffected.
- Version 5.15.210, <= 5.15.* is unaffected.
- Version 6.1.176, <= 6.1.* is unaffected.
- Version 6.6.128, <= 6.6.* is unaffected.
- Version 6.12.75, <= 6.12.* is unaffected.
- Version 6.18.14, <= 6.18.* is unaffected.
- Version 6.19.4, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.
- Version 0:3.10.0-1160.154.1.el7 and below * is unaffected.
- Version 0:4.18.0-553.132.1.rt7.473.el8_10 and below * is unaffected.
- Version 0:4.18.0-553.132.1.el8_10 and below * is unaffected.
- Version 0:4.18.0-305.197.1.el8_4 and below * is unaffected.
- Version 0:4.18.0-305.197.1.el8_4 and below * is unaffected.
- Version 0:4.18.0-372.198.1.el8_6 and below * is unaffected.
- Version 0:4.18.0-372.198.1.el8_6 and below * is unaffected.
- Version 0:4.18.0-477.150.1.el8_8 and below * is unaffected.
- Version 0:4.18.0-477.150.1.el8_8 and below * is unaffected.
- Version 0:5.14.0-687.15.1.el9_8 and below * is unaffected.
- Version 0:5.14.0-427.134.1.el9_4 and below * is unaffected.
- Version 0:5.14.0-570.125.1.el9_6 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.