{"api_version":"1","generated_at":"2026-05-28T01:04:07+00:00","cve":"CVE-2026-45973","urls":{"html":"https://cve.report/CVE-2026-45973","api":"https://cve.report/api/cve/CVE-2026-45973.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-45973","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-45973"},"summary":{"title":"RDMA/mlx5: Fix UMR hang in LAG error state unload","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix UMR hang in LAG error state unload\n\nDuring firmware reset in LAG mode, a race condition causes the driver\nto hang indefinitely while waiting for UMR completion during device\nunload. See [1].\n\nIn LAG mode the bond device is only registered on the master, so it\nnever sees sys_error events from the slave.\nDuring firmware reset this causes UMR waits to hang forever on unload\nas the slave is dead but the master hasn't entered error state yet, so\nUMR posts succeed but completions never arrive.\n\nFix this by adding a sys_error notifier that gets registered before\nMLX5_IB_STAGE_IB_REG and stays alive until after ib_unregister_device().\nThis ensures error events reach the bond device throughout teardown.\n\n[1]\nCall Trace:\n __schedule+0x2bd/0x760\n schedule+0x37/0xa0\n schedule_preempt_disabled+0xa/0x10\n __mutex_lock.isra.6+0x2b5/0x4a0\n __mlx5_ib_dereg_mr+0x606/0x870 [mlx5_ib]\n ? __xa_erase+0x4a/0xa0\n ? _cond_resched+0x15/0x30\n ? wait_for_completion+0x31/0x100\n ib_dereg_mr_user+0x48/0xc0 [ib_core]\n ? rdmacg_uncharge_hierarchy+0xa0/0x100\n destroy_hw_idr_uobject+0x20/0x50 [ib_uverbs]\n uverbs_destroy_uobject+0x37/0x150 [ib_uverbs]\n __uverbs_cleanup_ufile+0xda/0x140 [ib_uverbs]\n uverbs_destroy_ufile_hw+0x3a/0xf0 [ib_uverbs]\n ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs]\n remove_client_context+0x8b/0xd0 [ib_core]\n disable_device+0x8c/0x130 [ib_core]\n __ib_unregister_device+0x10d/0x180 [ib_core]\n ib_unregister_device+0x21/0x30 [ib_core]\n __mlx5_ib_remove+0x1e4/0x1f0 [mlx5_ib]\n auxiliary_bus_remove+0x1e/0x30\n device_release_driver_internal+0x103/0x1f0\n bus_remove_device+0xf7/0x170\n device_del+0x181/0x410\n mlx5_rescan_drivers_locked.part.10+0xa9/0x1d0 [mlx5_core]\n mlx5_disable_lag+0x253/0x260 [mlx5_core]\n mlx5_lag_disable_change+0x89/0xc0 [mlx5_core]\n mlx5_eswitch_disable+0x67/0xa0 [mlx5_core]\n mlx5_unload+0x15/0xd0 [mlx5_core]\n mlx5_unload_one+0x71/0xc0 [mlx5_core]\n mlx5_sync_reset_reload_work+0x83/0x100 [mlx5_core]\n process_one_work+0x1a7/0x360\n worker_thread+0x30/0x390\n ? create_worker+0x1a0/0x1a0\n kthread+0x116/0x130\n ? kthread_flush_work_fn+0x10/0x10\n ret_from_fork+0x22/0x40","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-27 14:17:14","updated_at":"2026-05-27 14:48:03"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/ebc2164a4cd4314503f1a0c8e7aaf76d7e5fa211","name":"https://git.kernel.org/stable/c/ebc2164a4cd4314503f1a0c8e7aaf76d7e5fa211","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/613f5d4139b6ba801ccd93f9a28943be60d903bc","name":"https://git.kernel.org/stable/c/613f5d4139b6ba801ccd93f9a28943be60d903bc","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c8fb5c965ac7d0104872a8e4f6451f3bc6328199","name":"https://git.kernel.org/stable/c/c8fb5c965ac7d0104872a8e4f6451f3bc6328199","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/6d838873da9cb97551d42316967cc82bf8f8031b","name":"https://git.kernel.org/stable/c/6d838873da9cb97551d42316967cc82bf8f8031b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-45973","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45973","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6b0acf6a94c31efa43fce4edc22413a3390f9c05 c8fb5c965ac7d0104872a8e4f6451f3bc6328199 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ede132a5cf559f3ab35a4c28bac4f4a6c20334d8 6d838873da9cb97551d42316967cc82bf8f8031b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ede132a5cf559f3ab35a4c28bac4f4a6c20334d8 613f5d4139b6ba801ccd93f9a28943be60d903bc git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ede132a5cf559f3ab35a4c28bac4f4a6c20334d8 ebc2164a4cd4314503f1a0c8e7aaf76d7e5fa211 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 921fcf2971a1e8d3b904ba2c2905b96f4ec3d4ad git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 542bd62b7a7f37182c9ef192c2bd25d118c144e4 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.12.2 6.12.75 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.6.64 6.7 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.11.11 6.12 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.13","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.13 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.75 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.14 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.4 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/infiniband/hw/mlx5/main.c","drivers/infiniband/hw/mlx5/mlx5_ib.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"c8fb5c965ac7d0104872a8e4f6451f3bc6328199","status":"affected","version":"6b0acf6a94c31efa43fce4edc22413a3390f9c05","versionType":"git"},{"lessThan":"6d838873da9cb97551d42316967cc82bf8f8031b","status":"affected","version":"ede132a5cf559f3ab35a4c28bac4f4a6c20334d8","versionType":"git"},{"lessThan":"613f5d4139b6ba801ccd93f9a28943be60d903bc","status":"affected","version":"ede132a5cf559f3ab35a4c28bac4f4a6c20334d8","versionType":"git"},{"lessThan":"ebc2164a4cd4314503f1a0c8e7aaf76d7e5fa211","status":"affected","version":"ede132a5cf559f3ab35a4c28bac4f4a6c20334d8","versionType":"git"},{"status":"affected","version":"921fcf2971a1e8d3b904ba2c2905b96f4ec3d4ad","versionType":"git"},{"status":"affected","version":"542bd62b7a7f37182c9ef192c2bd25d118c144e4","versionType":"git"},{"lessThan":"6.12.75","status":"affected","version":"6.12.2","versionType":"semver"},{"lessThan":"6.7","status":"affected","version":"6.6.64","versionType":"semver"},{"lessThan":"6.12","status":"affected","version":"6.11.11","versionType":"semver"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/infiniband/hw/mlx5/main.c","drivers/infiniband/hw/mlx5/mlx5_ib.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.13"},{"lessThan":"6.13","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.75","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.14","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.4","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.75","versionStartIncluding":"6.12.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.14","versionStartIncluding":"6.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.4","versionStartIncluding":"6.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.64","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11.11","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix UMR hang in LAG error state unload\n\nDuring firmware reset in LAG mode, a race condition causes the driver\nto hang indefinitely while waiting for UMR completion during device\nunload. See [1].\n\nIn LAG mode the bond device is only registered on the master, so it\nnever sees sys_error events from the slave.\nDuring firmware reset this causes UMR waits to hang forever on unload\nas the slave is dead but the master hasn't entered error state yet, so\nUMR posts succeed but completions never arrive.\n\nFix this by adding a sys_error notifier that gets registered before\nMLX5_IB_STAGE_IB_REG and stays alive until after ib_unregister_device().\nThis ensures error events reach the bond device throughout teardown.\n\n[1]\nCall Trace:\n __schedule+0x2bd/0x760\n schedule+0x37/0xa0\n schedule_preempt_disabled+0xa/0x10\n __mutex_lock.isra.6+0x2b5/0x4a0\n __mlx5_ib_dereg_mr+0x606/0x870 [mlx5_ib]\n ? __xa_erase+0x4a/0xa0\n ? _cond_resched+0x15/0x30\n ? wait_for_completion+0x31/0x100\n ib_dereg_mr_user+0x48/0xc0 [ib_core]\n ? rdmacg_uncharge_hierarchy+0xa0/0x100\n destroy_hw_idr_uobject+0x20/0x50 [ib_uverbs]\n uverbs_destroy_uobject+0x37/0x150 [ib_uverbs]\n __uverbs_cleanup_ufile+0xda/0x140 [ib_uverbs]\n uverbs_destroy_ufile_hw+0x3a/0xf0 [ib_uverbs]\n ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs]\n remove_client_context+0x8b/0xd0 [ib_core]\n disable_device+0x8c/0x130 [ib_core]\n __ib_unregister_device+0x10d/0x180 [ib_core]\n ib_unregister_device+0x21/0x30 [ib_core]\n __mlx5_ib_remove+0x1e4/0x1f0 [mlx5_ib]\n auxiliary_bus_remove+0x1e/0x30\n device_release_driver_internal+0x103/0x1f0\n bus_remove_device+0xf7/0x170\n device_del+0x181/0x410\n mlx5_rescan_drivers_locked.part.10+0xa9/0x1d0 [mlx5_core]\n mlx5_disable_lag+0x253/0x260 [mlx5_core]\n mlx5_lag_disable_change+0x89/0xc0 [mlx5_core]\n mlx5_eswitch_disable+0x67/0xa0 [mlx5_core]\n mlx5_unload+0x15/0xd0 [mlx5_core]\n mlx5_unload_one+0x71/0xc0 [mlx5_core]\n mlx5_sync_reset_reload_work+0x83/0x100 [mlx5_core]\n process_one_work+0x1a7/0x360\n worker_thread+0x30/0x390\n ? create_worker+0x1a0/0x1a0\n kthread+0x116/0x130\n ? kthread_flush_work_fn+0x10/0x10\n ret_from_fork+0x22/0x40"}],"providerMetadata":{"dateUpdated":"2026-05-27T12:18:32.270Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/c8fb5c965ac7d0104872a8e4f6451f3bc6328199"},{"url":"https://git.kernel.org/stable/c/6d838873da9cb97551d42316967cc82bf8f8031b"},{"url":"https://git.kernel.org/stable/c/613f5d4139b6ba801ccd93f9a28943be60d903bc"},{"url":"https://git.kernel.org/stable/c/ebc2164a4cd4314503f1a0c8e7aaf76d7e5fa211"}],"title":"RDMA/mlx5: Fix UMR hang in LAG error state unload","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-45973","datePublished":"2026-05-27T12:18:32.270Z","dateReserved":"2026-05-13T15:03:33.090Z","dateUpdated":"2026-05-27T12:18:32.270Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-27 14:17:14","lastModifiedDate":"2026-05-27 14:48:03","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"45973","Ordinal":"1","Title":"RDMA/mlx5: Fix UMR hang in LAG error state unload","CVE":"CVE-2026-45973","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"45973","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix UMR hang in LAG error state unload\n\nDuring firmware reset in LAG mode, a race condition causes the driver\nto hang indefinitely while waiting for UMR completion during device\nunload. See [1].\n\nIn LAG mode the bond device is only registered on the master, so it\nnever sees sys_error events from the slave.\nDuring firmware reset this causes UMR waits to hang forever on unload\nas the slave is dead but the master hasn't entered error state yet, so\nUMR posts succeed but completions never arrive.\n\nFix this by adding a sys_error notifier that gets registered before\nMLX5_IB_STAGE_IB_REG and stays alive until after ib_unregister_device().\nThis ensures error events reach the bond device throughout teardown.\n\n[1]\nCall Trace:\n __schedule+0x2bd/0x760\n schedule+0x37/0xa0\n schedule_preempt_disabled+0xa/0x10\n __mutex_lock.isra.6+0x2b5/0x4a0\n __mlx5_ib_dereg_mr+0x606/0x870 [mlx5_ib]\n ? __xa_erase+0x4a/0xa0\n ? _cond_resched+0x15/0x30\n ? wait_for_completion+0x31/0x100\n ib_dereg_mr_user+0x48/0xc0 [ib_core]\n ? rdmacg_uncharge_hierarchy+0xa0/0x100\n destroy_hw_idr_uobject+0x20/0x50 [ib_uverbs]\n uverbs_destroy_uobject+0x37/0x150 [ib_uverbs]\n __uverbs_cleanup_ufile+0xda/0x140 [ib_uverbs]\n uverbs_destroy_ufile_hw+0x3a/0xf0 [ib_uverbs]\n ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs]\n remove_client_context+0x8b/0xd0 [ib_core]\n disable_device+0x8c/0x130 [ib_core]\n __ib_unregister_device+0x10d/0x180 [ib_core]\n ib_unregister_device+0x21/0x30 [ib_core]\n __mlx5_ib_remove+0x1e4/0x1f0 [mlx5_ib]\n auxiliary_bus_remove+0x1e/0x30\n device_release_driver_internal+0x103/0x1f0\n bus_remove_device+0xf7/0x170\n device_del+0x181/0x410\n mlx5_rescan_drivers_locked.part.10+0xa9/0x1d0 [mlx5_core]\n mlx5_disable_lag+0x253/0x260 [mlx5_core]\n mlx5_lag_disable_change+0x89/0xc0 [mlx5_core]\n mlx5_eswitch_disable+0x67/0xa0 [mlx5_core]\n mlx5_unload+0x15/0xd0 [mlx5_core]\n mlx5_unload_one+0x71/0xc0 [mlx5_core]\n mlx5_sync_reset_reload_work+0x83/0x100 [mlx5_core]\n process_one_work+0x1a7/0x360\n worker_thread+0x30/0x390\n ? create_worker+0x1a0/0x1a0\n kthread+0x116/0x130\n ? kthread_flush_work_fn+0x10/0x10\n ret_from_fork+0x22/0x40","Type":"Description","Title":"RDMA/mlx5: Fix UMR hang in LAG error state unload"}]}}}