{"api_version":"1","generated_at":"2026-05-27T23:58:55+00:00","cve":"CVE-2026-46084","urls":{"html":"https://cve.report/CVE-2026-46084","api":"https://cve.report/api/cve/CVE-2026-46084.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-46084","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-46084"},"summary":{"title":"RDMA/mana_ib: Disable RX steering on RSS QP destroy","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mana_ib: Disable RX steering on RSS QP destroy\n\nWhen an RSS QP is destroyed (e.g. DPDK exit), mana_ib_destroy_qp_rss()\ndestroys the RX WQ objects but does not disable vPort RX steering in\nfirmware. This leaves stale steering configuration that still points to\nthe destroyed RX objects.\n\nIf traffic continues to arrive (e.g. peer VM is still transmitting) and\nthe VF interface is subsequently brought up (mana_open), the firmware\nmay deliver completions using stale CQ IDs from the old RX objects.\nThese CQ IDs can be reused by the ethernet driver for new TX CQs,\ncausing RX completions to land on TX CQs:\n\n  WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana]  (is_sq == false)\n  WARNING: mana_gd_process_eq_events+0x209/0x290 (cq_table lookup fails)\n\nFix this by disabling vPort RX steering before destroying RX WQ objects.\nNote that mana_fence_rqs() cannot be used here because the fence\ncompletion is delivered on the CQ, which is polled by user-mode (e.g.\nDPDK) and not visible to the kernel driver.\n\nRefactor the disable logic into a shared mana_disable_vport_rx() in\nmana_en, exported for use by mana_ib, replacing the duplicate code.\nThe ethernet driver's mana_dealloc_queues() is also updated to call\nthis common function.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-27 14:17:29","updated_at":"2026-05-27 14:48:03"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/f1ccc4d500a0b87a5599343fc2f798048836e184","name":"https://git.kernel.org/stable/c/f1ccc4d500a0b87a5599343fc2f798048836e184","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/dbeb256e8dd87233d891b170c0b32a6466467036","name":"https://git.kernel.org/stable/c/dbeb256e8dd87233d891b170c0b32a6466467036","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/3be5ed233de03b00ae868cfc06e95331d8d9007c","name":"https://git.kernel.org/stable/c/3be5ed233de03b00ae868cfc06e95331d8d9007c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8ba804869382ce307f2a15f5f6f2adfd791f41dc","name":"https://git.kernel.org/stable/c/8ba804869382ce307f2a15f5f6f2adfd791f41dc","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/6a2d6273b6c3581ce7b90ce17b5cbb4efd19438f","name":"https://git.kernel.org/stable/c/6a2d6273b6c3581ce7b90ce17b5cbb4efd19438f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-46084","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46084","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0266a177631d4c6b963b5b12dd986a8c5abdbf06 6a2d6273b6c3581ce7b90ce17b5cbb4efd19438f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0266a177631d4c6b963b5b12dd986a8c5abdbf06 f1ccc4d500a0b87a5599343fc2f798048836e184 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0266a177631d4c6b963b5b12dd986a8c5abdbf06 8ba804869382ce307f2a15f5f6f2adfd791f41dc git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0266a177631d4c6b963b5b12dd986a8c5abdbf06 3be5ed233de03b00ae868cfc06e95331d8d9007c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0266a177631d4c6b963b5b12dd986a8c5abdbf06 dbeb256e8dd87233d891b170c0b32a6466467036 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.2","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.2 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.140 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.86 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.27 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.4 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1-rc1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/infiniband/hw/mana/qp.c","drivers/net/ethernet/microsoft/mana/mana_en.c","include/net/mana/mana.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"6a2d6273b6c3581ce7b90ce17b5cbb4efd19438f","status":"affected","version":"0266a177631d4c6b963b5b12dd986a8c5abdbf06","versionType":"git"},{"lessThan":"f1ccc4d500a0b87a5599343fc2f798048836e184","status":"affected","version":"0266a177631d4c6b963b5b12dd986a8c5abdbf06","versionType":"git"},{"lessThan":"8ba804869382ce307f2a15f5f6f2adfd791f41dc","status":"affected","version":"0266a177631d4c6b963b5b12dd986a8c5abdbf06","versionType":"git"},{"lessThan":"3be5ed233de03b00ae868cfc06e95331d8d9007c","status":"affected","version":"0266a177631d4c6b963b5b12dd986a8c5abdbf06","versionType":"git"},{"lessThan":"dbeb256e8dd87233d891b170c0b32a6466467036","status":"affected","version":"0266a177631d4c6b963b5b12dd986a8c5abdbf06","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/infiniband/hw/mana/qp.c","drivers/net/ethernet/microsoft/mana/mana_en.c","include/net/mana/mana.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.2"},{"lessThan":"6.2","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.140","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.86","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.27","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.4","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1-rc1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.140","versionStartIncluding":"6.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.86","versionStartIncluding":"6.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.27","versionStartIncluding":"6.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.4","versionStartIncluding":"6.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1-rc1","versionStartIncluding":"6.2","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mana_ib: Disable RX steering on RSS QP destroy\n\nWhen an RSS QP is destroyed (e.g. DPDK exit), mana_ib_destroy_qp_rss()\ndestroys the RX WQ objects but does not disable vPort RX steering in\nfirmware. This leaves stale steering configuration that still points to\nthe destroyed RX objects.\n\nIf traffic continues to arrive (e.g. peer VM is still transmitting) and\nthe VF interface is subsequently brought up (mana_open), the firmware\nmay deliver completions using stale CQ IDs from the old RX objects.\nThese CQ IDs can be reused by the ethernet driver for new TX CQs,\ncausing RX completions to land on TX CQs:\n\n  WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana]  (is_sq == false)\n  WARNING: mana_gd_process_eq_events+0x209/0x290 (cq_table lookup fails)\n\nFix this by disabling vPort RX steering before destroying RX WQ objects.\nNote that mana_fence_rqs() cannot be used here because the fence\ncompletion is delivered on the CQ, which is polled by user-mode (e.g.\nDPDK) and not visible to the kernel driver.\n\nRefactor the disable logic into a shared mana_disable_vport_rx() in\nmana_en, exported for use by mana_ib, replacing the duplicate code.\nThe ethernet driver's mana_dealloc_queues() is also updated to call\nthis common function."}],"providerMetadata":{"dateUpdated":"2026-05-27T12:58:25.435Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/6a2d6273b6c3581ce7b90ce17b5cbb4efd19438f"},{"url":"https://git.kernel.org/stable/c/f1ccc4d500a0b87a5599343fc2f798048836e184"},{"url":"https://git.kernel.org/stable/c/8ba804869382ce307f2a15f5f6f2adfd791f41dc"},{"url":"https://git.kernel.org/stable/c/3be5ed233de03b00ae868cfc06e95331d8d9007c"},{"url":"https://git.kernel.org/stable/c/dbeb256e8dd87233d891b170c0b32a6466467036"}],"title":"RDMA/mana_ib: Disable RX steering on RSS QP destroy","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-46084","datePublished":"2026-05-27T12:58:25.435Z","dateReserved":"2026-05-13T15:03:33.096Z","dateUpdated":"2026-05-27T12:58:25.435Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-27 14:17:29","lastModifiedDate":"2026-05-27 14:48:03","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"46084","Ordinal":"1","Title":"RDMA/mana_ib: Disable RX steering on RSS QP destroy","CVE":"CVE-2026-46084","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"46084","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mana_ib: Disable RX steering on RSS QP destroy\n\nWhen an RSS QP is destroyed (e.g. DPDK exit), mana_ib_destroy_qp_rss()\ndestroys the RX WQ objects but does not disable vPort RX steering in\nfirmware. This leaves stale steering configuration that still points to\nthe destroyed RX objects.\n\nIf traffic continues to arrive (e.g. peer VM is still transmitting) and\nthe VF interface is subsequently brought up (mana_open), the firmware\nmay deliver completions using stale CQ IDs from the old RX objects.\nThese CQ IDs can be reused by the ethernet driver for new TX CQs,\ncausing RX completions to land on TX CQs:\n\n  WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana]  (is_sq == false)\n  WARNING: mana_gd_process_eq_events+0x209/0x290 (cq_table lookup fails)\n\nFix this by disabling vPort RX steering before destroying RX WQ objects.\nNote that mana_fence_rqs() cannot be used here because the fence\ncompletion is delivered on the CQ, which is polled by user-mode (e.g.\nDPDK) and not visible to the kernel driver.\n\nRefactor the disable logic into a shared mana_disable_vport_rx() in\nmana_en, exported for use by mana_ib, replacing the duplicate code.\nThe ethernet driver's mana_dealloc_queues() is also updated to call\nthis common function.","Type":"Description","Title":"RDMA/mana_ib: Disable RX steering on RSS QP destroy"}]}}}