HOMEVULNERABILITIESCVE-2026-45907
NONE

CVE-2026-45907

Published: May 27, 2026· Updated: May 27, 2026

Official Description

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix deadlocks between devlink and netdev instance locks

In the mentioned "Fixes" commit, various work tasks triggering devlink

health reporter recovery were switched to use netdev_trylock to protect

against concurrent tear down of the channels being recovered. But this

had the side effect of introducing potential deadlocks because of

incorrect lock ordering.

The correct lock order is described by the init flow:

probe_one -> mlx5_init_one (acquires devlink lock)

-> mlx5_init_one_devl_locked -> mlx5_register_device

-> mlx5_rescan_drivers_locked -...-> mlx5e_probe -> _mlx5e_probe

-> register_netdev (acquires rtnl lock)

-> register_netdevice (acquires netdev lock)

=> devlink lock -> rtnl lock -> netdev lock.

But in the current recovery flow, the order is wrong:

mlx5e_tx_err_cqe_work (acquires netdev lock)

-> mlx5e_reporter_tx_err_cqe -> mlx5e_health_report

-> devlink_health_report (acquires devlink lock => boom!)

-> devlink_health_reporter_recover

-> mlx5e_tx_reporter_recover -> mlx5e_tx_reporter_recover_from_ctx

-> mlx5e_tx_reporter_err_cqe_recover

The same pattern exists in:

mlx5e_reporter_rx_timeout

mlx5e_reporter_tx_ptpsq_unhealthy

mlx5e_reporter_tx_timeout

Fix these by moving the netdev_trylock calls from the work handlers

lower in the call stack, in the respective recovery functions, where

they are actually necessary.

NVD Source

Technical Analysis

CVE-2026-45907 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (3)

Quick Facts

CVE IDCVE-2026-45907
SeverityNONE
CISA KEVNo
PublishedMay 27, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-45907 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.