CVE-2026-23454
Description
In the Linux kernel, the following vulnerability has been resolved:
net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown
A potential race condition exists in mana_hwc_destroy_channel() where hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt handler to dereference freed memory, leading to a use-after-free or NULL pointer dereference in mana_hwc_handle_resp().
mana_smc_teardown_hwc() signals the hardware to stop but does not synchronize against IRQ handlers already executing on other CPUs. The IRQ synchronization only happens in mana_hwc_destroy_cq() via mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler() can dereference freed caller_ctx (and rxq->msg_buf) in mana_hwc_handle_resp().
Fix this by reordering teardown to reverse-of-creation order: destroy the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This ensures all in-flight interrupt handlers complete before the memory they access is freed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in the Linux kernel's Microsoft Azure Network Adapter (MANA) driver can occur during channel teardown if interrupt handlers access freed memory before completion queue destruction.
In the Linux kernel's MANA driver, a race condition exists in mana_hwc_destroy_channel() where the hwc->caller_ctx memory is freed via kfree() before the hardware Completion Queue (CQ) and Event Queue (EQ) are torn down. This can lead to a use-after-free vulnerability when an in-flight CQ interrupt handler, mana_hwc_handle_resp(), dereferences the freed caller_ctx or adjacent buffers.
The root cause is that mana_smc_teardown_hwc() signals the hardware to stop but does not synchronize against interrupt handlers already executing on other CPUs. The required interrupt synchronization only happens later, inside mana_hwc_destroy_cq() -> mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this synchronization call occurs after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler() can still access the freed memory, resulting in memory corruption or a crash.
An attacker who can trigger a MANA channel teardown (e.g., during device reset or namespace removal) may cause a kernel panic or, potentially, gain further privileges if the freed memory is repurposed. The vulnerability can be triggered without special privileges if the attack vector is reachable from unprivileged contexts, though the exact prerequisites depend on the system configuration.
The fix reorders the teardown sequence to follow the reverse of the creation order: TX and RX work queues are destroyed first, then the CQ and EQ, and finally hwc->caller_ctx is freed. This ensures all interrupt handlers complete before the memory they access is released [1][2][3][4]. Patched versions of the Linux kernel are available; users should update to the latest stable kernels to mitigate this issue.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/05d345719d85b927cba74afac4d5322de3aa4256nvd
- git.kernel.org/stable/c/249e905571583a434d4ea8d6f92ccc0eef337115nvd
- git.kernel.org/stable/c/2b001901f689021acd7bf2dceed74a1bdcaaa1f9nvd
- git.kernel.org/stable/c/afdb1533eb9c05432aeb793a7280fa827c502f5cnvd
- git.kernel.org/stable/c/b88edf12fc3779521ae5f6f1584153b15f7da6dfnvd
- git.kernel.org/stable/c/e23bf444512cb85d76012080a76cd1f9e967448envd
- git.kernel.org/stable/c/fa103fc8f56954a60699a29215cb713448a39e87nvd
News mentions
0No linked articles in our index yet.