What is GHSA-r8g9-gm9p-ff4h?

GHSA-r8g9-gm9p-ff4h is a security advisory published by GitHub Security Advisories with High severity. In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error path...

Which CVE IDs does GHSA-r8g9-gm9p-ff4h cover?

GHSA-r8g9-gm9p-ff4h covers the following CVE IDs: CVE-2026-46176. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-r8g9-gm9p-ff4h?

GHSA-r8g9-gm9p-ff4h has a CVSS v3 base score of 7.8, published by GitHub Security Advisories.

GHSA-r8g9-gm9p-ff4hHighCVSS 7.8

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error path...

Vendor

GitHub Security Advisories

Published

May 28, 2026

Last Modified

May 30, 2026

🔗 CVE IDs covered (1)

CVE-2026-46176 →

📋 Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()

mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.

This leads to several problems: the lock-free fast path checks "if (devr->s1) return 0;" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.

Fix by adding the same goto unlock in the s1 failure path.

🔗 CVE IDs covered (1)

📋 Description

🔗 References (7)