CVE-2026-45910

Source
https://cve.org/CVERecord?id=CVE-2026-45910
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45910.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-45910
Downstream
Related
Published
2026-05-27T12:17:24.619Z
Modified
2026-06-26T11:56:33.108336918Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
RDMA/rxe: Fix race condition in QP timer handlers
Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Fix race condition in QP timer handlers

I encontered the following warning: WARNING: drivers/infiniband/sw/rxe/rxetask.c:249 at rxeschedtask+0x1c8/0x238 [rdmarxe], CPU#0: swapper/0/0 ... libsha1 [last unloaded: ip6udptunnel] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G C 6.19.0-rc5-64k-v8+ #37 PREEMPT Tainted: [C]=CRAP Hardware name: Raspberry Pi 4 Model B Rev 1.2 Call trace: rxeschedtask+0x1c8/0x238 [rdmarxe] (P) retransmittimer+0x130/0x188 [rdmarxe] calltimer_fn+0x68/0x4d0 _runtimers+0x630/0x888 ... WARNING: drivers/infiniband/sw/rxe/rxetask.c:38 at rxeschedtask+0x1c0/0x238 [rdmarxe], CPU#0: swapper/0/0 ... WARNING: drivers/infiniband/sw/rxe/rxetask.c:111 at dowork+0x488/0x5c8 [rdmarxe], CPU#3: kworker/u17:4/93400 ... refcountt: underflow; use-after-free. WARNING: lib/refcount.c:28 at refcountwarnsaturate+0x138/0x1a0, CPU#3: kworker/u17:4/93400

The issue is caused by a race condition between retransmittimer() and rxedestroy_qp, leading to the Queue Pair's (QP) reference count dropping to zero during timer handler execution.

It seems this warning is harmless because rxeqpdo_cleanup() will flush all pending timers and requests.

Example of flow causing the issue:

CPU0 CPU1 retransmittimer() { spinlockirqsave rxedestroy_qp() __rxe_cleanup() _rxeput() // qp->refcount decrease to 0 rxeqpdocleanup() { if (qp->valid) { rxeschedtask() { WARNON(rxeread(task->qp) <= 0); } } spinunlockirqrestore } spinlockirqsave qp->valid = 0 spinunlockirqrestore }

Ensure the QP's reference count is maintained and its validity is checked within the timer callbacks by adding calls to rxeget(qp) and corresponding rxeput(qp) after use.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45910.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d94671632572813e90bcf475bb4c7d51fbf20173
Fixed
756c93d6df7c3bc599f6590b8e5afead6a41de1c
Fixed
3c2ae79fb19dfd67341c14f1e78a5f1744eacfe2
Fixed
5ae9da022ee3c97e6469eabcddce9271501ddbad
Fixed
da379ca16af3722f159860d91a99cb6976a7500f
Fixed
87bf646921430e303176edc4eb07c30160361b73

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45910.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.4.0
Fixed
6.6.128
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.14
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45910.json"