net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-23454
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-04-03 16:16:31 UTC
Updated2026-04-18 09:16:27 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown A potential race condition exists in mana_hwc_destroy_channel() where hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt handler to dereference freed memory, leading to a use-after-free or NULL pointer dereference in mana_hwc_handle_resp(). mana_smc_teardown_hwc() signals the hardware to stop but does not synchronize against IRQ handlers already executing on other CPUs. The IRQ synchronization only happens in mana_hwc_destroy_cq() via mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler() can dereference freed caller_ctx (and rxq->msg_buf) in mana_hwc_handle_resp(). Fix this by reordering teardown to reverse-of-creation order: destroy the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This ensures all in-flight interrupt handlers complete before the memory they access is freed.

Risk And Classification

EPSS: 0.000320000 probability, percentile 0.090980000 (date 2026-04-18)

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f b88edf12fc3779521ae5f6f1584153b15f7da6df git Not specified
CNA Linux Linux affected ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f e23bf444512cb85d76012080a76cd1f9e967448e git Not specified
CNA Linux Linux affected ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f 249e905571583a434d4ea8d6f92ccc0eef337115 git Not specified
CNA Linux Linux affected ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f 2b001901f689021acd7bf2dceed74a1bdcaaa1f9 git Not specified
CNA Linux Linux affected ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f afdb1533eb9c05432aeb793a7280fa827c502f5c git Not specified
CNA Linux Linux affected ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f 05d345719d85b927cba74afac4d5322de3aa4256 git Not specified
CNA Linux Linux affected ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f fa103fc8f56954a60699a29215cb713448a39e87 git Not specified
CNA Linux Linux affected 5.13 Not specified
CNA Linux Linux unaffected 5.13 semver Not specified
CNA Linux Linux unaffected 5.15.203 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.167 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.130 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.78 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.20 6.18.* semver Not specified
CNA Linux Linux unaffected 6.19.10 6.19.* semver Not specified
CNA Linux Linux unaffected 7.0 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/249e905571583a434d4ea8d6f92ccc0eef337115 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/2b001901f689021acd7bf2dceed74a1bdcaaa1f9 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/05d345719d85b927cba74afac4d5322de3aa4256 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/afdb1533eb9c05432aeb793a7280fa827c502f5c 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/e23bf444512cb85d76012080a76cd1f9e967448e 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/fa103fc8f56954a60699a29215cb713448a39e87 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/b88edf12fc3779521ae5f6f1584153b15f7da6df 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report