CVE-2026-46176

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An error path fall-through exists in the mlx5 ib dev res srq init() function. When the function allocates two Send Receive Queues (SRQs), s0 and s1, a failure in ib create srq() for s1 causes the error branch to destroy s0 but continue execution, unconditionally assigning the freed s0 and the error pointer s1 to devr->s0 and devr->s1. This results in the lock-free fast path treating the error pointer as initialized, users in mlx5 ib create qp() dereferencing the freed SRQ or error pointer via to msrq(devr->s0)->msrq.srqn, and mlx5 ib dev res cleanup() dereferencing the error pointer and double-freeing s0 during teardown.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.