CVE-2026-23289

Vulnerability

In the Linux kernel's InfiniBand mthca driver, the mthca_create_srq() function fails to call mthca_unmap_user_db() on the error path after a successful mthca_map_user_db(). This omission results in a resource leak that can be triggered by a user space application when creating a shared receive queue (SRQ) and then forcing the system call to fail [1].

Exploitation

The vulnerability is exploitable from user space via the ib_uverbs_create_srq system call. An attacker with access to InfiniBand devices and sufficient privileges to invoke the relevant verbs can intentionally cause the system call to fail, for instance by providing invalid parameters, thereby leaking the mapped user doorbell memory [1]. No authentication beyond local user access is required.

Impact

An attacker can exhaust system resources by repeatedly triggering the leak, leading to a denial-of-service (DoS) condition. The leaked memory is never freed, potentially causing system instability or resource exhaustion [1].

Mitigation

The fix has been applied in Linux kernel stable branches as commit 11ac61f4e9b7 and others [1]. Users should update their kernel to the latest stable version to remediate this issue.