In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix double free in rxesrqfrom_init
In rxesrqfrominit(), the queue pointer 'q' is assigned to 'srq->rq.queue' before copying the SRQ number to user space. If copytouser() fails, the function calls rxequeue_cleanup() to free the queue, but leaves the now-invalid pointer in 'srq->rq.queue'.
The caller of rxesrqfrominit() (rxecreatesrq) eventually calls rxesrqcleanup() upon receiving the error, which triggers a second rxequeue_cleanup() on the same memory, leading to a double free.
The call trace looks like this: kmemcachefree+0x.../0x... rxequeuecleanup+0x1a/0x30 [rdmarxe] rxesrqcleanup+0x42/0x60 [rdmarxe] rxeelemrelease+0x31/0x70 [rdmarxe] rxecreatesrq+0x12b/0x1a0 [rdmarxe] ibcreatesrquser+0x9a/0x150 [ibcore]
Fix this by moving 'srq->rq.queue = q' after copytouser.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45852.json",
"cna_assigner": "Linux"
}