CVE-2026-46084

Source
https://cve.org/CVERecord?id=CVE-2026-46084
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46084.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-46084
Downstream
Related
Published
2026-05-27T12:58:25.435Z
Modified
2026-06-26T11:56:10.842018683Z
Summary
RDMA/mana_ib: Disable RX steering on RSS QP destroy
Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/mana_ib: Disable RX steering on RSS QP destroy

When an RSS QP is destroyed (e.g. DPDK exit), manaibdestroyqprss() destroys the RX WQ objects but does not disable vPort RX steering in firmware. This leaves stale steering configuration that still points to the destroyed RX objects.

If traffic continues to arrive (e.g. peer VM is still transmitting) and the VF interface is subsequently brought up (mana_open), the firmware may deliver completions using stale CQ IDs from the old RX objects. These CQ IDs can be reused by the ethernet driver for new TX CQs, causing RX completions to land on TX CQs:

WARNING: manapolltxcq+0x1b8/0x220 [mana] (issq == false) WARNING: managdprocesseqevents+0x209/0x290 (cq_table lookup fails)

Fix this by disabling vPort RX steering before destroying RX WQ objects. Note that manafencerqs() cannot be used here because the fence completion is delivered on the CQ, which is polled by user-mode (e.g. DPDK) and not visible to the kernel driver.

Refactor the disable logic into a shared manadisablevportrx() in manaen, exported for use by manaib, replacing the duplicate code. The ethernet driver's manadealloc_queues() is also updated to call this common function.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46084.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0266a177631d4c6b963b5b12dd986a8c5abdbf06
Fixed
6a2d6273b6c3581ce7b90ce17b5cbb4efd19438f
Fixed
f1ccc4d500a0b87a5599343fc2f798048836e184
Fixed
8ba804869382ce307f2a15f5f6f2adfd791f41dc
Fixed
3be5ed233de03b00ae868cfc06e95331d8d9007c
Fixed
dbeb256e8dd87233d891b170c0b32a6466467036

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46084.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.140
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.86
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.27
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46084.json"