RDMA/irdma: Fix double free related to rereg_user_mr

CVE	CVE-2026-43120
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-06 10:16:25 UTC
Updated	2026-05-12 21:37:37 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix double free related to rereg_user_mr If IB_MR_REREG_TRANS is set during rereg_user_mr, the umem will be released and a new one will be allocated in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans fails after the new umem is allocated, it releases the umem, but does not set iwmr->region to NULL. The problem is that this failure is propagated to the user, who will then call ibv_dereg_mr (as they should). Then, the dereg_mr path will see a non-NULL umem and attempt to call ib_umem_release again. Fix this by setting iwmr->region to NULL after ib_umem_release. Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region")

Primary CVSS: v3.1 7.8 HIGH from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.000130000 probability, percentile 0.023990000 (date 2026-05-12)

Problem Types: CWE-415

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
3.1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	Secondary	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
3.1	CNA	DECLARED	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 715fdb3b30541cc8180b7cdc6aa9f8c307afdf25 62298a48f8b8788ad8b8464e6ffdf1ddebd2217e git	Not specified
CNA	Linux	Linux	affected 5ac388db27c443dadfbb0b8b23fa7ccf429d901a 66964118f1f50ed85001c8fc9f7ab5bbdd021ee0 git	Not specified
CNA	Linux	Linux	affected 5ac388db27c443dadfbb0b8b23fa7ccf429d901a 0f22c32141acdcda266b26cab2b830baf870f3e0 git	Not specified
CNA	Linux	Linux	affected 5ac388db27c443dadfbb0b8b23fa7ccf429d901a 0c5d70bcb9d2275a1c8515a924016fcfeb4ab441 git	Not specified
CNA	Linux	Linux	affected 5ac388db27c443dadfbb0b8b23fa7ccf429d901a 29a3edd7004bb635d299fb9bc6f0ea4ef13ed5a2 git	Not specified
CNA	Linux	Linux	affected 6.7	Not specified
CNA	Linux	Linux	unaffected 6.7 semver	Not specified
CNA	Linux	Linux	unaffected 6.6.136 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.83 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.24 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.14 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

Reference	Source	Link	Tags
git.kernel.org/stable/c/29a3edd7004bb635d299fb9bc6f0ea4ef13ed5a2	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/0c5d70bcb9d2275a1c8515a924016fcfeb4ab441	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/0f22c32141acdcda266b26cab2b830baf870f3e0	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/62298a48f8b8788ad8b8464e6ffdf1ddebd2217e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/66964118f1f50ed85001c8fc9f7ab5bbdd021ee0	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.