CVE-2026-45910 Overview
CVE-2026-45910 is a race condition vulnerability in the Linux kernel's Soft RoCE (RDMA over Converged Ethernet) driver, specifically in the rxe module located at drivers/infiniband/sw/rxe/. The flaw exists between the retransmit_timer() callback and rxe_destroy_qp(), allowing a Queue Pair's (QP) reference count to drop to zero during timer handler execution. This leads to a use-after-free condition flagged by refcount_t: underflow warnings in the kernel log. The issue affects systems leveraging the software RDMA transport, including ARM64 platforms such as the Raspberry Pi 4 referenced in the original report.
Critical Impact
Concurrent execution of QP timer callbacks and QP destruction can trigger a use-after-free on the QP reference counter, producing kernel warnings and potential memory safety violations in the RDMA subsystem.
Affected Products
- Linux kernel versions containing the rdma_rxe driver prior to the fix
- Linux kernel 6.19.0-rc5 confirmed affected in the reported trace
- Distributions shipping the Soft RoCE (rxe) software RDMA transport
Discovery Timeline
- 2026-05-27 - CVE CVE-2026-45910 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45910
Vulnerability Analysis
The vulnerability resides in the rdma_rxe driver, which implements RDMA semantics in software over standard Ethernet. The retransmit_timer() function executes asynchronously from the kernel timer subsystem and operates on a Queue Pair object. Concurrently, rxe_destroy_qp() can run on another CPU, invoking __rxe_cleanup() and __rxe_put(), which decrement the QP reference count to zero. When this occurs while the timer handler is still executing, the timer callback subsequently calls rxe_sched_task(), which triggers WARN_ON(rxe_read(task->qp) <= 0) because the reference count has already been released.
Root Cause
The root cause is missing reference counting inside the QP timer callbacks. The timer handler acquires a spinlock but does not take a reference on the QP, so a parallel destruction path can release the final reference while the timer is mid-execution. Once __rxe_put() drops the count to zero, rxe_qp_do_cleanup() proceeds to flush pending work, racing the active timer callback and producing refcount underflow warnings.
Attack Vector
Exploitation requires the ability to create and destroy RDMA Queue Pairs through the Soft RoCE driver, typically available to local processes with access to the /dev/infiniband/ interfaces. The race is triggered by issuing concurrent QP teardown operations while retransmission timers are active. The reporter notes the warning is likely harmless in practice because rxe_qp_do_cleanup() eventually flushes pending timers and requests, however the underflow indicates a genuine memory safety defect that could be weaponized under specific timing conditions.
The vulnerability mechanism is documented in the upstream commit messages. See the Linux Kernel Commit 756c93d6 for the authoritative technical description and patch flow analysis.
Detection Methods for CVE-2026-45910
Indicators of Compromise
- Kernel log entries containing WARNING: drivers/infiniband/sw/rxe/rxe_task.c at lines 38, 111, or 249
- refcount_t: underflow; use-after-free warnings originating from refcount_warn_saturate with rxe_sched_task or do_work in the call stack
- Repeated stack traces involving retransmit_timer+0x130 and call_timer_fn from rdma_rxe
Detection Strategies
- Monitor dmesg and journalctl -k output for kernel WARN_ON events referencing the rdma_rxe module
- Audit hosts loading the rdma_rxe kernel module via lsmod | grep rdma_rxe and inventory systems exposing Soft RoCE
- Correlate workload patterns that create and tear down QPs at high frequency with kernel warnings in centralized logging
Monitoring Recommendations
- Forward kernel ring buffer events to a centralized log pipeline and alert on rxe_task.c warnings or refcount underflow strings
- Track loaded kernel modules and version drift across the fleet to identify hosts still running unpatched rdma_rxe
- Inspect process activity touching /dev/infiniband/ devices and the rdma-core userspace stack for unexpected callers
How to Mitigate CVE-2026-45910
Immediate Actions Required
- Apply the upstream Linux kernel patches that add rxe_get(qp) and rxe_put(qp) calls around timer callback execution
- If patching is not immediately feasible, unload the rdma_rxe module on hosts that do not require Soft RoCE functionality
- Inventory all systems where the rdma_rxe module is loaded at boot and prioritize them for kernel updates
Patch Information
The fix ensures the QP's reference count is held and validity is checked within timer callbacks. The corrective patches have been merged into the stable kernel tree across multiple branches:
- Linux Kernel Commit 3c2ae79
- Linux Kernel Commit 5ae9da02
- Linux Kernel Commit 756c93d6
- Linux Kernel Commit 87bf6469
- Linux Kernel Commit da379ca1
Workarounds
- Blacklist the rdma_rxe module on systems that do not require software RDMA: add blacklist rdma_rxe to /etc/modprobe.d/blacklist-rxe.conf
- Restrict access to /dev/infiniband/ device nodes to trusted users and services via filesystem permissions
- Limit creation and destruction of RDMA Queue Pairs to controlled application workloads where timing-sensitive teardown patterns can be avoided
# Configuration example - disable Soft RoCE module where not required
echo "blacklist rdma_rxe" | sudo tee /etc/modprobe.d/blacklist-rxe.conf
sudo rmmod rdma_rxe 2>/dev/null || true
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
