CVE-2026-46133 (GCVE-0-2026-46133)

Vulnerability from cvelistv5 – Published: 2026-05-28 09:35 – Updated: 2026-05-28 09:35
VLAI
Title
RDMA/rxe: Reject unknown opcodes before ICRC processing
Summary
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject unknown opcodes before ICRC processing Even after applying commit 7244491dab34 ("RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv"), a single unauthenticated UDP packet can still trigger panic. That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode. The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver. The check added there reads pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE where header_size(pkt) expands to rxe_opcode[pkt->opcode].length. The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE which does not constrain pkt->paylen enough. rxe_icrc_hdr() then computes rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload. Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after rdma link add rxe0 type rxe netdev eth0 A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers: BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170 Read of size 1 at addr ... The buggy address is located 0 bytes to the right of allocated 704-byte region Call Trace: crc32_le+0x115/0x170 rxe_icrc_hdr.isra.0+0x226/0x300 rxe_icrc_check+0x13f/0x3a0 rxe_rcv+0x6e1/0x16e0 rxe_udp_encap_recv+0x20a/0x320 udp_queue_rcv_one_skb+0x7ed/0x12c0 Subsequent packets with the same shape fault on unmapped memory and panic the kernel. The trigger requires only module load and "rdma link add"; no QP, no connection, and no authentication. Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < e3dc3a2fb05f4ed49c7f20594c4c52350d032189 (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < f8ee926431a7bbec2b10c1290664af2cb290b983 (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 006a3a5f75345c6a0dbf13fd3ee01406e93b6733 (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 6fa18025e5782afff91415fd5217b39c1e4837d7 (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 4c6f86d85d03cdb33addce86aa69aa795ca6c47a (git)
Create a notification for this product.
Linux Linux Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 6.6.140 , ≤ 6.6.* (semver)
Unaffected: 6.12.88 , ≤ 6.12.* (semver)
Unaffected: 6.18.30 , ≤ 6.18.* (semver)
Unaffected: 7.0.7 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe_recv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e3dc3a2fb05f4ed49c7f20594c4c52350d032189",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "f8ee926431a7bbec2b10c1290664af2cb290b983",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "006a3a5f75345c6a0dbf13fd3ee01406e93b6733",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "6fa18025e5782afff91415fd5217b39c1e4837d7",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "4c6f86d85d03cdb33addce86aa69aa795ca6c47a",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe_recv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc3",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Reject unknown opcodes before ICRC processing\n\nEven after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC\nbefore payload_size() in rxe_rcv\"), a single unauthenticated UDP packet\ncan still trigger panic.  That patch handled payload_size() underflow only\nfor valid opcodes with short packets, not for packets carrying an unknown\nopcode.  The unknown-opcode OOB read described below predates that commit\nand reaches back to the initial Soft RoCE driver.\n\nThe check added there reads\n\n    pkt-\u003epaylen \u003c header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE\n\nwhere header_size(pkt) expands to rxe_opcode[pkt-\u003eopcode].length.  The\nrxe_opcode[] array has 256 entries but is only populated for defined IB\nopcodes; any other entry (for example opcode 0xff) is zero-initialized, so\nlength == 0 and the check degenerates to\n\n    pkt-\u003epaylen \u003c 0 + bth_pad(pkt) + RXE_ICRC_SIZE\n\nwhich does not constrain pkt-\u003epaylen enough.  rxe_icrc_hdr() then computes\n\n    rxe_opcode[pkt-\u003eopcode].length - RXE_BTH_BYTES\n\nwhich underflows when length == 0 and passes a huge value to rxe_crc32(),\ncausing an out-of-bounds read of the skb payload.\n\nReproduced on v7.0-rc7 with that fix applied, QEMU/KVM with\nCONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after\n\n    rdma link add rxe0 type rxe netdev eth0\n\nA single 48-byte UDP packet to port 4791 with BTH opcode=0xff and\nQPN=IB_MULTICAST_QPN triggers:\n\n    BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170\n    Read of size 1 at addr ...\n    The buggy address is located 0 bytes to the right of\n     allocated 704-byte region\n    Call Trace:\n     crc32_le+0x115/0x170\n     rxe_icrc_hdr.isra.0+0x226/0x300\n     rxe_icrc_check+0x13f/0x3a0\n     rxe_rcv+0x6e1/0x16e0\n     rxe_udp_encap_recv+0x20a/0x320\n     udp_queue_rcv_one_skb+0x7ed/0x12c0\n\nSubsequent packets with the same shape fault on unmapped memory and panic\nthe kernel.  The trigger requires only module load and \"rdma link add\"; no\nQP, no connection, and no authentication.\n\nFix this by rejecting packets whose opcode has no rxe_opcode[] entry,\ndetected via the zero mask or zero length, before any length arithmetic\nruns."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T09:35:47.819Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e3dc3a2fb05f4ed49c7f20594c4c52350d032189"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8ee926431a7bbec2b10c1290664af2cb290b983"
        },
        {
          "url": "https://git.kernel.org/stable/c/006a3a5f75345c6a0dbf13fd3ee01406e93b6733"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fa18025e5782afff91415fd5217b39c1e4837d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c6f86d85d03cdb33addce86aa69aa795ca6c47a"
        }
      ],
      "title": "RDMA/rxe: Reject unknown opcodes before ICRC processing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46133",
    "datePublished": "2026-05-28T09:35:47.819Z",
    "dateReserved": "2026-05-13T15:03:33.099Z",
    "dateUpdated": "2026-05-28T09:35:47.819Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-46133",
      "date": "2026-05-29",
      "epss": "0.00034",
      "percentile": "0.10411"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46133\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-28T10:16:28.863\",\"lastModified\":\"2026-05-28T13:44:01.663\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/rxe: Reject unknown opcodes before ICRC processing\\n\\nEven after applying commit 7244491dab34 (\\\"RDMA/rxe: Validate pad and ICRC\\nbefore payload_size() in rxe_rcv\\\"), a single unauthenticated UDP packet\\ncan still trigger panic.  That patch handled payload_size() underflow only\\nfor valid opcodes with short packets, not for packets carrying an unknown\\nopcode.  The unknown-opcode OOB read described below predates that commit\\nand reaches back to the initial Soft RoCE driver.\\n\\nThe check added there reads\\n\\n    pkt-\u003epaylen \u003c header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE\\n\\nwhere header_size(pkt) expands to rxe_opcode[pkt-\u003eopcode].length.  The\\nrxe_opcode[] array has 256 entries but is only populated for defined IB\\nopcodes; any other entry (for example opcode 0xff) is zero-initialized, so\\nlength == 0 and the check degenerates to\\n\\n    pkt-\u003epaylen \u003c 0 + bth_pad(pkt) + RXE_ICRC_SIZE\\n\\nwhich does not constrain pkt-\u003epaylen enough.  rxe_icrc_hdr() then computes\\n\\n    rxe_opcode[pkt-\u003eopcode].length - RXE_BTH_BYTES\\n\\nwhich underflows when length == 0 and passes a huge value to rxe_crc32(),\\ncausing an out-of-bounds read of the skb payload.\\n\\nReproduced on v7.0-rc7 with that fix applied, QEMU/KVM with\\nCONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after\\n\\n    rdma link add rxe0 type rxe netdev eth0\\n\\nA single 48-byte UDP packet to port 4791 with BTH opcode=0xff and\\nQPN=IB_MULTICAST_QPN triggers:\\n\\n    BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170\\n    Read of size 1 at addr ...\\n    The buggy address is located 0 bytes to the right of\\n     allocated 704-byte region\\n    Call Trace:\\n     crc32_le+0x115/0x170\\n     rxe_icrc_hdr.isra.0+0x226/0x300\\n     rxe_icrc_check+0x13f/0x3a0\\n     rxe_rcv+0x6e1/0x16e0\\n     rxe_udp_encap_recv+0x20a/0x320\\n     udp_queue_rcv_one_skb+0x7ed/0x12c0\\n\\nSubsequent packets with the same shape fault on unmapped memory and panic\\nthe kernel.  The trigger requires only module load and \\\"rdma link add\\\"; no\\nQP, no connection, and no authentication.\\n\\nFix this by rejecting packets whose opcode has no rxe_opcode[] entry,\\ndetected via the zero mask or zero length, before any length arithmetic\\nruns.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/006a3a5f75345c6a0dbf13fd3ee01406e93b6733\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4c6f86d85d03cdb33addce86aa69aa795ca6c47a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6fa18025e5782afff91415fd5217b39c1e4837d7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e3dc3a2fb05f4ed49c7f20594c4c52350d032189\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f8ee926431a7bbec2b10c1290664af2cb290b983\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.