CVE-2026-23289 Overview
A memory leak vulnerability has been identified in the Linux kernel's InfiniBand (IB) mthca driver. The vulnerability exists in the mthca_create_srq() function where a missing call to mthca_unmap_user_db() on the system call failure path allows a user-triggerable memory leak. This flaw enables local attackers to potentially exhaust system memory resources through repeated exploitation of the failure path.
Critical Impact
Local users can trigger a kernel memory leak through the IB/mthca driver's SRQ creation failure path, potentially leading to denial of service through resource exhaustion.
Affected Products
- Linux Kernel (IB/mthca driver)
- Systems utilizing Mellanox InfiniBand HCA hardware with mthca driver
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23289 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23289
Vulnerability Analysis
This vulnerability is classified as a Memory Leak within the Linux kernel's InfiniBand subsystem. The mthca driver, which provides support for Mellanox InfiniBand Host Channel Adapters (HCAs), contains a flaw in the error handling logic of the mthca_create_srq() function.
When a Shared Receive Queue (SRQ) creation request fails after the user doorbell page has been mapped, the cleanup code path fails to call mthca_unmap_user_db() to properly release the mapped memory. This oversight allows a local user to repeatedly trigger the failure condition, causing memory resources to be leaked with each failed attempt.
The vulnerability is user-triggerable, meaning that unprivileged local users with access to InfiniBand device files may be able to exploit this flaw to gradually exhaust kernel memory resources.
Root Cause
The root cause is an incomplete error handling path in the mthca_create_srq() function. When the function allocates and maps a user doorbell database page via mthca_map_user_db() but subsequently fails at a later stage of SRQ creation, the error cleanup code does not include the corresponding mthca_unmap_user_db() call. This asymmetry between resource allocation and deallocation on the failure path results in memory leakage.
Attack Vector
An attacker with local access to the system and the ability to interact with InfiniBand device interfaces can exploit this vulnerability. The attack methodology involves:
- Opening the InfiniBand device through the uverbs interface
- Initiating SRQ creation requests designed to fail after the doorbell mapping occurs
- Repeating the process to accumulate leaked memory
- Eventually exhausting available kernel memory, leading to system instability or denial of service
The exploitation does not require elevated privileges but does require access to InfiniBand device files, which may be restricted based on system configuration.
Detection Methods for CVE-2026-23289
Indicators of Compromise
- Unusual memory consumption growth in kernel space without corresponding user-space activity
- Repeated failed SRQ creation attempts in InfiniBand-related kernel logs
- System memory pressure or OOM (Out of Memory) killer activations on systems with InfiniBand hardware
Detection Strategies
- Monitor kernel memory allocation patterns for anomalous growth in IB/mthca-related allocations
- Implement auditing on InfiniBand device file access to detect unusual access patterns
- Use kernel memory debugging tools such as kmemleak to identify unreferenced memory allocations
- Review system logs for repeated mthca_create_srq failures
Monitoring Recommendations
- Enable kernel memory leak detection mechanisms in development or testing environments
- Monitor /proc/meminfo and related sysfs entries for unexpected kernel memory consumption
- Implement alerting for InfiniBand subsystem errors through syslog monitoring
How to Mitigate CVE-2026-23289
Immediate Actions Required
- Apply the kernel patches provided by the Linux kernel maintainers
- Restrict access to InfiniBand device files to only authorized users and applications
- Monitor systems with mthca driver for signs of memory exhaustion
- Consider temporarily disabling the mthca driver if not actively required and patches cannot be immediately applied
Patch Information
The Linux kernel maintainers have released patches addressing this vulnerability across multiple stable kernel branches. The fix adds the missing mthca_unmap_user_db() call to the error handling path in mthca_create_srq().
Relevant kernel commits:
- Kernel Git Commit 117942c
- Kernel Git Commit 972b72d
- Kernel Git Commit d01489
- Kernel Git Commit da8eaa7
- Kernel Git Commit deee46b
- Kernel Git Commit f67f1ad
Workarounds
- Restrict access to /dev/infiniband/ device files using appropriate file permissions or access control mechanisms
- Use cgroups or namespace isolation to limit memory available to processes interacting with InfiniBand devices
- Unload the ib_mthca kernel module if InfiniBand functionality is not required: modprobe -r ib_mthca
# Restrict access to InfiniBand devices
chmod 600 /dev/infiniband/*
chown root:root /dev/infiniband/*
# Optionally unload the mthca driver if not needed
modprobe -r ib_mthca
# Add to /etc/modprobe.d/blacklist.conf to prevent auto-loading
echo "blacklist ib_mthca" >> /etc/modprobe.d/blacklist.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
