Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-46084— RDMA/mana_ib: Disable RX steering on RSS QP destroy

AI Predicted 4.4 Difficulty: Moderate EPSS 0.02% · P7

Possible ATT&CK Techniques 1AI

T1059 · Command and Scripting Interpreter

Affected Version Matrix 12

VendorProductVersion RangeStatus
LinuxLinux0266a177631d4c6b963b5b12dd986a8c5abdbf06< 6a2d6273b6c3581ce7b90ce17b5cbb4efd19438faffected
0266a177631d4c6b963b5b12dd986a8c5abdbf06< f1ccc4d500a0b87a5599343fc2f798048836e184affected
0266a177631d4c6b963b5b12dd986a8c5abdbf06< 8ba804869382ce307f2a15f5f6f2adfd791f41dcaffected
0266a177631d4c6b963b5b12dd986a8c5abdbf06< 3be5ed233de03b00ae868cfc06e95331d8d9007caffected
0266a177631d4c6b963b5b12dd986a8c5abdbf06< dbeb256e8dd87233d891b170c0b32a6466467036affected
6.2affected
< 6.2unaffected
6.6.140≤ 6.6.*unaffected
… +4 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-46084

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
RDMA/mana_ib: Disable RX steering on RSS QP destroy
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/mana_ib: Disable RX steering on RSS QP destroy When an RSS QP is destroyed (e.g. DPDK exit), mana_ib_destroy_qp_rss() destroys the RX WQ objects but does not disable vPort RX steering in firmware. This leaves stale steering configuration that still points to the destroyed RX objects. If traffic continues to arrive (e.g. peer VM is still transmitting) and the VF interface is subsequently brought up (mana_open), the firmware may deliver completions using stale CQ IDs from the old RX objects. These CQ IDs can be reused by the ethernet driver for new TX CQs, causing RX completions to land on TX CQs: WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana] (is_sq == false) WARNING: mana_gd_process_eq_events+0x209/0x290 (cq_table lookup fails) Fix this by disabling vPort RX steering before destroying RX WQ objects. Note that mana_fence_rqs() cannot be used here because the fence completion is delivered on the CQ, which is polled by user-mode (e.g. DPDK) and not visible to the kernel driver. Refactor the disable logic into a shared mana_disable_vport_rx() in mana_en, exported for use by mana_ib, replacing the duplicate code. The ethernet driver's mana_dealloc_queues() is also updated to call this common function.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于mana_ib驱动在销毁RSS QP时未禁用vPort RX steering,可能导致残留的steering配置指向已销毁的RX对象,进而引发CQ ID重用和RX完成事件落在TX CQ上的问题。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 0266a177631d4c6b963b5b12dd986a8c5abdbf06 ~ 6a2d6273b6c3581ce7b90ce17b5cbb4efd19438f -
LinuxLinux 6.2 -

II. Public POCs for CVE-2026-46084

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-46084

登录查看更多情报信息。

Patches & Fixes for CVE-2026-46084 (5)

Same Patch Batch · Linux · 2026-05-27 · 276 CVEs total

CVE-2026-458989.8 CRITICALRDMA/iwcm: Fix workqueue list corruption by removing work_list
CVE-2026-459729.8 CRITICALsmb: client: fix potential UAF and double free in smb2_open_file()
CVE-2026-460399.8 CRITICALrxgk: Fix potential integer overflow in length check
CVE-2026-459889.8 CRITICALrxrpc: Fix re-decryption of RESPONSE packets
CVE-2026-460439.1 CRITICALRDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
CVE-2026-460568.8 HIGHBluetooth: hci_event: fix potential UAF in SSP passkey handlers
CVE-2026-459458.8 HIGHiommu/vt-d: Fix race condition during PASID entry replacement
CVE-2026-460378.2 HIGHipv4: icmp: validate reply type before using icmp_pointers
CVE-2026-458438.2 HIGHslip: bound decode() reads against the compressed packet length
CVE-2026-460108.1 HIGHrxrpc: Fix error handling in rxgk_extract_token()
CVE-2026-460998.1 HIGHnet: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
CVE-2026-460767.9 HIGHKVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1
CVE-2026-459427.8 HIGHext4: fix e4b bitmap inconsistency reports
CVE-2026-459707.8 HIGHbonding: alb: fix UAF in rlb_arp_recv during bond up/down
CVE-2026-459807.8 HIGHaccel/amdxdna: Stop job scheduling across aie2_release_resource()
CVE-2026-459517.8 HIGHbpf: Fix a potential use-after-free of BTF object
CVE-2026-458527.8 HIGHRDMA/rxe: Fix double free in rxe_srq_from_init
CVE-2026-460367.8 HIGHvfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex
CVE-2026-459317.8 HIGHaccel/amdxdna: Hold mm structure across iommu_sva_unbind_device()
CVE-2026-460657.8 HIGHfbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info

Showing top 20 of 276 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-46084

No comments yet

Leave a comment