CVE-2026-46084 Overview
CVE-2026-46084 is a Linux kernel vulnerability in the Microsoft Azure Network Adapter (MANA) InfiniBand driver (RDMA/mana_ib). The flaw resides in mana_ib_destroy_qp_rss(), which tears down Receive-Side Scaling (RSS) Queue Pair (QP) RX Work Queue (WQ) objects without disabling the corresponding vPort RX steering in firmware. The stale steering configuration continues to reference destroyed RX objects, leading to misrouted completions and kernel warnings when the Virtual Function (VF) interface is later brought up.
Critical Impact
Stale firmware steering can cause RX completions to be delivered on TX Completion Queues (CQs), triggering warnings in mana_poll_tx_cq and mana_gd_process_eq_events and producing kernel instability on Azure MANA-enabled hosts running RDMA workloads such as DPDK.
Affected Products
- Linux kernel RDMA/mana_ib driver
- Linux kernel mana_en ethernet driver (shared disable path)
- Microsoft Azure MANA-enabled VMs using RDMA/RSS workloads (e.g., DPDK)
Discovery Timeline
- 2026-05-27 - CVE-2026-46084 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-46084
Vulnerability Analysis
The defect is a resource lifecycle bug in the MANA InfiniBand driver. When user-mode applications such as DPDK exit, mana_ib_destroy_qp_rss() releases the RX WQ objects but skips the firmware-side teardown of vPort RX steering. Because the steering table still maps incoming flows to the now-destroyed RX queues, any traffic arriving from a peer VM continues to be steered to freed objects.
When the VF interface is subsequently brought up via mana_open, the ethernet driver allocates new CQs and reuses CQ IDs previously bound to the destroyed RX queues. The firmware then delivers RX completions using these stale CQ IDs, landing them on TX CQs owned by the ethernet driver. This produces the observed warnings:
- WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana] with is_sq == false
- WARNING: mana_gd_process_eq_events+0x209/0x290 where the cq_table lookup fails
Note that mana_fence_rqs() cannot be used in this teardown path because the fence completion is delivered on a CQ polled by user-mode and is not visible to the kernel driver. The fix introduces a shared mana_disable_vport_rx() helper in mana_en, exported for use by mana_ib, and invoked prior to destroying RX WQ objects.
Root Cause
The root cause is missing teardown ordering. mana_ib_destroy_qp_rss() does not call into the ethernet driver to disable vPort RX steering before releasing RX WQ objects, leaving firmware state inconsistent with kernel state.
Attack Vector
The issue is triggered by legitimate operational sequences, such as a DPDK process exiting while a peer continues transmitting and the VF is later reinitialized. No known authenticated network exploitation path is documented; the primary impact is kernel warnings and potential instability on RDMA-enabled Azure VMs.
No verified public proof-of-concept code is available. See the upstream patches for technical details: Linux Kernel Patch 3be5ed23, Linux Kernel Patch 6a2d6273, and Linux Kernel Patch f1ccc4d5.
Detection Methods for CVE-2026-46084
Indicators of Compromise
- Kernel log entries containing WARNING: mana_poll_tx_cq with is_sq == false.
- Kernel log entries containing WARNING: mana_gd_process_eq_events indicating a failed cq_table lookup.
- RX completion delivery on TX CQs observed after a DPDK or RDMA user-mode process exits and the VF interface is restarted.
Detection Strategies
- Monitor dmesg and journalctl -k on Azure MANA-enabled hosts for the warning signatures above.
- Correlate VF interface up/down events (mana_open) with prior RDMA process exits to identify the vulnerable sequence.
- Audit running kernel versions against the upstream stable trees referenced in the patches.
Monitoring Recommendations
- Ingest kernel logs from Azure VMs running DPDK or RDMA workloads into a centralized log platform and alert on mana_poll_tx_cq and mana_gd_process_eq_events warnings.
- Track mana_ib and mana_en module versions across the fleet to verify patch coverage.
- Flag repeated VF reset events as a possible symptom of stale steering state.
How to Mitigate CVE-2026-46084
Immediate Actions Required
- Update affected Linux kernels to a version containing the mana_disable_vport_rx() refactor and the fix to mana_ib_destroy_qp_rss().
- Reboot affected Azure VMs after kernel update to ensure the patched mana_ib and mana_en modules are loaded.
- Inventory hosts running DPDK or other RDMA user-mode workloads against MANA VFs and prioritize them for patching.
Patch Information
Upstream fixes are available across multiple stable branches. Apply the appropriate patch from the kernel.org stable trees: Linux Kernel Patch 3be5ed23, Linux Kernel Patch 6a2d6273, Linux Kernel Patch 8ba80486, Linux Kernel Patch dbeb256e, and Linux Kernel Patch f1ccc4d5. The fix disables vPort RX steering before destroying RX WQ objects via a shared helper exported from mana_en.
Workarounds
- Avoid restarting the VF interface (mana_open) immediately after RDMA user-mode processes such as DPDK exit while peer traffic is active.
- Where feasible, stop inbound traffic from peer VMs before tearing down RSS QPs to reduce the window for stale completions.
- Restrict use of MANA RDMA RSS workloads on unpatched kernels until updates are deployed.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
