CVE-2026-46181: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()
Sashiko points out the radix_tree itself is RCU safe, but nothing ever
frees the mlx4_srq struct with RCU, and it isn't even accessed within the
RCU critical section. It also will crash if an event is delivered before
the srq object is finished initializing.
Use the spinlock since it isn't easy to make RCU work, use
refcount_inc_not_zero() to protect against partially initialized objects,
and order the refcount_set() to be after the srq is fully initialized.
Security readout for executives and security teams
Plain-English summary
CVE-2026-46181 is a Linux kernel race-condition bug in the RDMA mlx4 driver. A local user with some privileges could potentially crash the system or impact confidentiality and integrity. It matters most for Linux hosts using Mellanox mlx4/RDMA capabilities. No active exploitation is stated in the provided sources.
Executive priority
Prioritize patching for Linux servers using Mellanox mlx4/RDMA, especially shared compute, HPC, virtualization, or multi-user environments. Treat as high severity, but not an internet-wide emergency based on current sources.
Technical view
The issue is in RDMA/mlx4 mlx4_srq_event(). The kernel fix replaces improper RCU assumptions with spinlock/refcount handling and orders refcount initialization after SRQ initialization. The CVSS 3.1 score is 7.8, local attack vector, low complexity, low privileges, no user interaction, with high confidentiality, integrity, and availability impact.
Likely exposure
Exposure is likely limited to affected Linux kernels where the RDMA mlx4 driver and SRQ event path are present or usable. Systems without mlx4/RDMA hardware or driver use are less likely exposed, but confirm through vendor kernel advisories and configuration review.
Exploitation context
The CVSS vector indicates local, low-privilege exploitation with no user interaction. The sources do not state remote exploitation or known active exploitation. The bug involves a race during SRQ event handling and object initialization/lifetime management.
Researcher notes
Affected-version data in the source bundle is inconsistent and should be validated against distribution advisories. The core fix addresses unsafe lifetime handling around radix tree lookup, SRQ initialization, and refcounting in mlx4_srq_event(). No exploit proof or KEV listing is provided.
Mitigation direction
Apply vendor kernel updates that include the referenced stable Linux fixes.
For Red Hat systems, review the listed RHSA errata for applicable packages.
If mlx4/RDMA is unnecessary, evaluate vendor-supported ways to reduce or disable exposure.
Track vendor advisories for corrected affected-version ranges and backports.
Validation and detection
Inventory Linux kernel versions across RDMA-capable systems.
Identify hosts using mlx4 or Mellanox RDMA functionality.
Compare installed kernels against vendor advisories and RHSA errata.
Confirm the referenced stable commits are included in your deployed kernel build.
Document systems without mlx4/RDMA as lower-priority after verification.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-366: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
5Timeline events
1ADP providers
18Source links
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-366 · source CWE mapping
Race Condition within a Thread
Race Condition within a Thread represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.