{"api_version":"1","generated_at":"2026-05-30T17:07:57+00:00","cve":"CVE-2026-45898","urls":{"html":"https://cve.report/CVE-2026-45898","api":"https://cve.report/api/cve/CVE-2026-45898.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-45898","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-45898"},"summary":{"title":"RDMA/iwcm: Fix workqueue list corruption by removing work_list","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix workqueue list corruption by removing work_list\n\nThe commit e1168f0 (\"RDMA/iwcm: Simplify cm_event_handler()\")\nchanged the work submission logic to unconditionally call\nqueue_work() with the expectation that queue_work() would\nhave no effect if work was already pending. The problem is\nthat a free list of struct iwcm_work is used (for which\nstruct work_struct is embedded), so each call to queue_work()\nis basically unique and therefore does indeed queue the work.\n\nThis causes a problem in the work handler which walks the work_list\nuntil it's empty to process entries. This means that a single\nrun of the work handler could process item N+1 and release it\nback to the free list while the actual workqueue entry is still\nqueued. It could then get reused (INIT_WORK...) and lead to\nlist corruption in the workqueue logic.\n\nFix this by just removing the work_list. The workqueue already\ndoes this for us.\n\nThis fixes the following error that was observed when stress\ntesting with ucmatose on an Intel E830 in iWARP mode:\n\n[  151.465780] list_del corruption. next->prev should be ffff9f0915c69c08, but was ffff9f0a1116be08. (next=ffff9f0a15b11c08)\n[  151.466639] ------------[ cut here ]------------\n[  151.466986] kernel BUG at lib/list_debug.c:67!\n[  151.467349] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[  151.467753] CPU: 14 UID: 0 PID: 2306 Comm: kworker/u64:18 Not tainted 6.19.0-rc4+ #1 PREEMPT(voluntary)\n[  151.468466] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[  151.469192] Workqueue:  0x0 (iw_cm_wq)\n[  151.469478] RIP: 0010:__list_del_entry_valid_or_report+0xf0/0x100\n[  151.469942] Code: c7 58 5f 4c b2 e8 10 50 aa ff 0f 0b 48 89 ef e8 36 57 cb ff 48 8b 55 08 48 89 e9 48 89 de 48 c7 c7 a8 5f 4c b2 e8 f0 4f aa ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90\n[  151.471323] RSP: 0000:ffffb15644e7bd68 EFLAGS: 00010046\n[  151.471712] RAX: 000000000000006d RBX: ffff9f0915c69c08 RCX: 0000000000000027\n[  151.472243] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9f0a37d9c600\n[  151.472768] RBP: ffff9f0a15b11c08 R08: 0000000000000000 R09: c0000000ffff7fff\n[  151.473294] R10: 0000000000000001 R11: ffffb15644e7bba8 R12: ffff9f092339ee68\n[  151.473817] R13: ffff9f0900059c28 R14: ffff9f092339ee78 R15: 0000000000000000\n[  151.474344] FS:  0000000000000000(0000) GS:ffff9f0a847b5000(0000) knlGS:0000000000000000\n[  151.474934] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  151.475362] CR2: 0000559e233a9088 CR3: 000000020296b004 CR4: 0000000000770ef0\n[  151.475895] PKRU: 55555554\n[  151.476118] Call Trace:\n[  151.476331]  <TASK>\n[  151.476497]  move_linked_works+0x49/0xa0\n[  151.476792]  __pwq_activate_work.isra.46+0x2f/0xa0\n[  151.477151]  pwq_dec_nr_in_flight+0x1e0/0x2f0\n[  151.477479]  process_scheduled_works+0x1c8/0x410\n[  151.477823]  worker_thread+0x125/0x260\n[  151.478108]  ? __pfx_worker_thread+0x10/0x10\n[  151.478430]  kthread+0xfe/0x240\n[  151.478671]  ? __pfx_kthread+0x10/0x10\n[  151.478955]  ? __pfx_kthread+0x10/0x10\n[  151.479240]  ret_from_fork+0x208/0x270\n[  151.479523]  ? __pfx_kthread+0x10/0x10\n[  151.479806]  ret_from_fork_asm+0x1a/0x30\n[  151.480103]  </TASK>","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-27 14:17:04","updated_at":"2026-05-30 11:17:15"},"problem_types":[],"metrics":[{"version":"3.1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"baseScore":9.8,"baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://git.kernel.org/stable/c/a6b9e793e74e372daa266fd0d58b751305877897","name":"https://git.kernel.org/stable/c/a6b9e793e74e372daa266fd0d58b751305877897","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/eb715133e0ae12514bba4d2d5ce1dee774476056","name":"https://git.kernel.org/stable/c/eb715133e0ae12514bba4d2d5ce1dee774476056","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/38c5b49fffa1b760959af74f11806eeb3ef4706d","name":"https://git.kernel.org/stable/c/38c5b49fffa1b760959af74f11806eeb3ef4706d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/7874eeacfa42177565c01d5198726671acf7adf2","name":"https://git.kernel.org/stable/c/7874eeacfa42177565c01d5198726671acf7adf2","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-45898","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45898","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected e1168f09b3314992f1c5251f3793102035da7237 38c5b49fffa1b760959af74f11806eeb3ef4706d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected e1168f09b3314992f1c5251f3793102035da7237 eb715133e0ae12514bba4d2d5ce1dee774476056 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected e1168f09b3314992f1c5251f3793102035da7237 a6b9e793e74e372daa266fd0d58b751305877897 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected e1168f09b3314992f1c5251f3793102035da7237 7874eeacfa42177565c01d5198726671acf7adf2 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.11","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.11 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.75 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.14 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.4 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"45898","cve":"CVE-2026-45898","epss":"0.000180000","percentile":"0.049190000","score_date":"2026-05-29","updated_at":"2026-05-30 00:13:24"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/infiniband/core/iwcm.c","drivers/infiniband/core/iwcm.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"38c5b49fffa1b760959af74f11806eeb3ef4706d","status":"affected","version":"e1168f09b3314992f1c5251f3793102035da7237","versionType":"git"},{"lessThan":"eb715133e0ae12514bba4d2d5ce1dee774476056","status":"affected","version":"e1168f09b3314992f1c5251f3793102035da7237","versionType":"git"},{"lessThan":"a6b9e793e74e372daa266fd0d58b751305877897","status":"affected","version":"e1168f09b3314992f1c5251f3793102035da7237","versionType":"git"},{"lessThan":"7874eeacfa42177565c01d5198726671acf7adf2","status":"affected","version":"e1168f09b3314992f1c5251f3793102035da7237","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/infiniband/core/iwcm.c","drivers/infiniband/core/iwcm.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.11"},{"lessThan":"6.11","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.75","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.14","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.4","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.75","versionStartIncluding":"6.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.14","versionStartIncluding":"6.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.4","versionStartIncluding":"6.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.11","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix workqueue list corruption by removing work_list\n\nThe commit e1168f0 (\"RDMA/iwcm: Simplify cm_event_handler()\")\nchanged the work submission logic to unconditionally call\nqueue_work() with the expectation that queue_work() would\nhave no effect if work was already pending. The problem is\nthat a free list of struct iwcm_work is used (for which\nstruct work_struct is embedded), so each call to queue_work()\nis basically unique and therefore does indeed queue the work.\n\nThis causes a problem in the work handler which walks the work_list\nuntil it's empty to process entries. This means that a single\nrun of the work handler could process item N+1 and release it\nback to the free list while the actual workqueue entry is still\nqueued. It could then get reused (INIT_WORK...) and lead to\nlist corruption in the workqueue logic.\n\nFix this by just removing the work_list. The workqueue already\ndoes this for us.\n\nThis fixes the following error that was observed when stress\ntesting with ucmatose on an Intel E830 in iWARP mode:\n\n[  151.465780] list_del corruption. next->prev should be ffff9f0915c69c08, but was ffff9f0a1116be08. (next=ffff9f0a15b11c08)\n[  151.466639] ------------[ cut here ]------------\n[  151.466986] kernel BUG at lib/list_debug.c:67!\n[  151.467349] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[  151.467753] CPU: 14 UID: 0 PID: 2306 Comm: kworker/u64:18 Not tainted 6.19.0-rc4+ #1 PREEMPT(voluntary)\n[  151.468466] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[  151.469192] Workqueue:  0x0 (iw_cm_wq)\n[  151.469478] RIP: 0010:__list_del_entry_valid_or_report+0xf0/0x100\n[  151.469942] Code: c7 58 5f 4c b2 e8 10 50 aa ff 0f 0b 48 89 ef e8 36 57 cb ff 48 8b 55 08 48 89 e9 48 89 de 48 c7 c7 a8 5f 4c b2 e8 f0 4f aa ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90\n[  151.471323] RSP: 0000:ffffb15644e7bd68 EFLAGS: 00010046\n[  151.471712] RAX: 000000000000006d RBX: ffff9f0915c69c08 RCX: 0000000000000027\n[  151.472243] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9f0a37d9c600\n[  151.472768] RBP: ffff9f0a15b11c08 R08: 0000000000000000 R09: c0000000ffff7fff\n[  151.473294] R10: 0000000000000001 R11: ffffb15644e7bba8 R12: ffff9f092339ee68\n[  151.473817] R13: ffff9f0900059c28 R14: ffff9f092339ee78 R15: 0000000000000000\n[  151.474344] FS:  0000000000000000(0000) GS:ffff9f0a847b5000(0000) knlGS:0000000000000000\n[  151.474934] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  151.475362] CR2: 0000559e233a9088 CR3: 000000020296b004 CR4: 0000000000770ef0\n[  151.475895] PKRU: 55555554\n[  151.476118] Call Trace:\n[  151.476331]  <TASK>\n[  151.476497]  move_linked_works+0x49/0xa0\n[  151.476792]  __pwq_activate_work.isra.46+0x2f/0xa0\n[  151.477151]  pwq_dec_nr_in_flight+0x1e0/0x2f0\n[  151.477479]  process_scheduled_works+0x1c8/0x410\n[  151.477823]  worker_thread+0x125/0x260\n[  151.478108]  ? __pfx_worker_thread+0x10/0x10\n[  151.478430]  kthread+0xfe/0x240\n[  151.478671]  ? __pfx_kthread+0x10/0x10\n[  151.478955]  ? __pfx_kthread+0x10/0x10\n[  151.479240]  ret_from_fork+0x208/0x270\n[  151.479523]  ? __pfx_kthread+0x10/0x10\n[  151.479806]  ret_from_fork_asm+0x1a/0x30\n[  151.480103]  </TASK>"}],"metrics":[{"cvssV3_1":{"baseScore":9.8,"baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"providerMetadata":{"dateUpdated":"2026-05-30T10:45:49.572Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/38c5b49fffa1b760959af74f11806eeb3ef4706d"},{"url":"https://git.kernel.org/stable/c/eb715133e0ae12514bba4d2d5ce1dee774476056"},{"url":"https://git.kernel.org/stable/c/a6b9e793e74e372daa266fd0d58b751305877897"},{"url":"https://git.kernel.org/stable/c/7874eeacfa42177565c01d5198726671acf7adf2"}],"title":"RDMA/iwcm: Fix workqueue list corruption by removing work_list","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-45898","datePublished":"2026-05-27T12:17:07.737Z","dateReserved":"2026-05-13T15:03:33.083Z","dateUpdated":"2026-05-30T10:45:49.572Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-27 14:17:04","lastModifiedDate":"2026-05-30 11:17:15","problem_types":[],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"45898","Ordinal":"1","Title":"RDMA/iwcm: Fix workqueue list corruption by removing work_list","CVE":"CVE-2026-45898","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"45898","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix workqueue list corruption by removing work_list\n\nThe commit e1168f0 (\"RDMA/iwcm: Simplify cm_event_handler()\")\nchanged the work submission logic to unconditionally call\nqueue_work() with the expectation that queue_work() would\nhave no effect if work was already pending. The problem is\nthat a free list of struct iwcm_work is used (for which\nstruct work_struct is embedded), so each call to queue_work()\nis basically unique and therefore does indeed queue the work.\n\nThis causes a problem in the work handler which walks the work_list\nuntil it's empty to process entries. This means that a single\nrun of the work handler could process item N+1 and release it\nback to the free list while the actual workqueue entry is still\nqueued. It could then get reused (INIT_WORK...) and lead to\nlist corruption in the workqueue logic.\n\nFix this by just removing the work_list. The workqueue already\ndoes this for us.\n\nThis fixes the following error that was observed when stress\ntesting with ucmatose on an Intel E830 in iWARP mode:\n\n[  151.465780] list_del corruption. next->prev should be ffff9f0915c69c08, but was ffff9f0a1116be08. (next=ffff9f0a15b11c08)\n[  151.466639] ------------[ cut here ]------------\n[  151.466986] kernel BUG at lib/list_debug.c:67!\n[  151.467349] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[  151.467753] CPU: 14 UID: 0 PID: 2306 Comm: kworker/u64:18 Not tainted 6.19.0-rc4+ #1 PREEMPT(voluntary)\n[  151.468466] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[  151.469192] Workqueue:  0x0 (iw_cm_wq)\n[  151.469478] RIP: 0010:__list_del_entry_valid_or_report+0xf0/0x100\n[  151.469942] Code: c7 58 5f 4c b2 e8 10 50 aa ff 0f 0b 48 89 ef e8 36 57 cb ff 48 8b 55 08 48 89 e9 48 89 de 48 c7 c7 a8 5f 4c b2 e8 f0 4f aa ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90\n[  151.471323] RSP: 0000:ffffb15644e7bd68 EFLAGS: 00010046\n[  151.471712] RAX: 000000000000006d RBX: ffff9f0915c69c08 RCX: 0000000000000027\n[  151.472243] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9f0a37d9c600\n[  151.472768] RBP: ffff9f0a15b11c08 R08: 0000000000000000 R09: c0000000ffff7fff\n[  151.473294] R10: 0000000000000001 R11: ffffb15644e7bba8 R12: ffff9f092339ee68\n[  151.473817] R13: ffff9f0900059c28 R14: ffff9f092339ee78 R15: 0000000000000000\n[  151.474344] FS:  0000000000000000(0000) GS:ffff9f0a847b5000(0000) knlGS:0000000000000000\n[  151.474934] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  151.475362] CR2: 0000559e233a9088 CR3: 000000020296b004 CR4: 0000000000770ef0\n[  151.475895] PKRU: 55555554\n[  151.476118] Call Trace:\n[  151.476331]  <TASK>\n[  151.476497]  move_linked_works+0x49/0xa0\n[  151.476792]  __pwq_activate_work.isra.46+0x2f/0xa0\n[  151.477151]  pwq_dec_nr_in_flight+0x1e0/0x2f0\n[  151.477479]  process_scheduled_works+0x1c8/0x410\n[  151.477823]  worker_thread+0x125/0x260\n[  151.478108]  ? __pfx_worker_thread+0x10/0x10\n[  151.478430]  kthread+0xfe/0x240\n[  151.478671]  ? __pfx_kthread+0x10/0x10\n[  151.478955]  ? __pfx_kthread+0x10/0x10\n[  151.479240]  ret_from_fork+0x208/0x270\n[  151.479523]  ? __pfx_kthread+0x10/0x10\n[  151.479806]  ret_from_fork_asm+0x1a/0x30\n[  151.480103]  </TASK>","Type":"Description","Title":"RDMA/iwcm: Fix workqueue list corruption by removing work_list"}]}}}