Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
High

Double Free in Linux kernel RDMA/irdma rereg_user_mr

IdentifiersCVE-2026-43120CWE-415· Double Free

CVE-2026-43120 is a Linux kernel vulnerability in the RDMA/irdma subsystem involving memory-region re-registration via rereg_user_mr. When IB_MR_REREG_TRANS is set, the reregistration path releases the existing umem and allocates a new one in irdma_rereg_mr_trans. If a later step in irdma_rereg_mr_trans fails after the new umem has been allocated, the function releases that new umem but leaves iwmr->region non-NULL. The failure is then returned to user space, and a subsequent normal cleanup call such as ibv_dereg_mr can enter the deregistration path, observe the stale non-NULL region pointer, and invoke ib_umem_release a second time on the same object. This results in a double free condition. The fix sets iwmr->region to NULL immediately after ib_umem_release in the failure path. The vulnerable functionality was introduced by commit 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region").

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful triggering of the flaw causes a kernel-space double free in the RDMA/irdma memory-registration lifecycle. As reflected by the published CVSS vectors, impact can include denial of service through kernel instability or crash, and potentially integrity and confidentiality consequences if the memory corruption is made exploitable. The Linux Kernel CNA and NVD score indicates high impact to confidentiality, integrity, and availability for a local attacker with low privileges.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting access to local users and workloads that can exercise RDMA verbs against the irdma driver, particularly memory-region re-registration operations using IB_MR_REREG_TRANS followed by deregistration on error. Limit availability of RDMA/irdma-capable devices to trusted tenants only, disable or avoid the affected irdma functionality where operationally feasible, and monitor for kernel crashes or anomalous behavior in RDMA workloads. No complete mitigation short of applying the fixed kernel is provided in the source content.

Remediation

Patch, then assume compromise.

Apply a kernel update containing the upstream fix for CVE-2026-43120. The remediation is to ensure the failure path in irdma_rereg_mr_trans clears iwmr->region to NULL after ib_umem_release so later deregistration does not release the same umem again. Vendor-fixed packages are available in SUSE advisories for affected product lines; examples in the provided content include SLES 15 SP6 LTSS and SLES for SAP 15 SP6 with kernel-default 6.4.0-150600.23.112.1 or later, SLES 15 SP7 lines with kernel-default 6.4.0-150700.53.55.1 or later, and SUSE Linux Micro 6.0/6.1 with kernel-default 6.4.0-46.1 or later.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

2 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-43120
NVD
nvd.nist.gov/vuln/detail/CVE-2026-43120
MITRE CWE · CWE-415
Double Free
Patch
git.kernel.org/stable/c/0c5d70bcb9d2275a1c8515a924016fcfeb4ab441
Patch
git.kernel.org/stable/c/0f22c32141acdcda266b26cab2b830baf870f3e0
Patch
git.kernel.org/stable/c/29a3edd7004bb635d299fb9bc6f0ea4ef13ed5a2
Patch
git.kernel.org/stable/c/62298a48f8b8788ad8b8464e6ffdf1ddebd2217e
Patch
git.kernel.org/stable/c/66964118f1f50ed85001c8fc9f7ab5bbdd021ee0