CVE-2026-23454

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A race condition exists in mana hwc destroy channel() where hwc->caller ctx is freed before the Hardware Completion Queue (CQ) and Event Queue (EQ) are destroyed. This can lead to a use-after-free or NULL pointer dereference in mana hwc handle resp() if an in-flight CQ interrupt handler attempts to dereference the freed memory. The issue arises because mana smc teardown hwc() signals the hardware to stop without synchronizing against interrupt handlers executing on other CPUs. The fix reorders the teardown process to destroy the TX/RX work queues and CQ/EQ before freeing hwc->caller ctx, ensuring all in-flight interrupt handlers complete before the memory they access is freed.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.