CVE-2026-46133
Severity CVSS v4.0:
Pending analysis
Type:
CWE-125
Out-of-bounds Read
Publication date:
28/05/2026
Last modified:
24/06/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
RDMA/rxe: Reject unknown opcodes before ICRC processing<br />
<br />
Even after applying commit 7244491dab34 ("RDMA/rxe: Validate pad and ICRC<br />
before payload_size() in rxe_rcv"), a single unauthenticated UDP packet<br />
can still trigger panic. That patch handled payload_size() underflow only<br />
for valid opcodes with short packets, not for packets carrying an unknown<br />
opcode. The unknown-opcode OOB read described below predates that commit<br />
and reaches back to the initial Soft RoCE driver.<br />
<br />
The check added there reads<br />
<br />
pkt->paylen opcode].length. The<br />
rxe_opcode[] array has 256 entries but is only populated for defined IB<br />
opcodes; any other entry (for example opcode 0xff) is zero-initialized, so<br />
length == 0 and the check degenerates to<br />
<br />
pkt->paylen paylen enough. rxe_icrc_hdr() then computes<br />
<br />
rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES<br />
<br />
which underflows when length == 0 and passes a huge value to rxe_crc32(),<br />
causing an out-of-bounds read of the skb payload.<br />
<br />
Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with<br />
CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after<br />
<br />
rdma link add rxe0 type rxe netdev eth0<br />
<br />
A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and<br />
QPN=IB_MULTICAST_QPN triggers:<br />
<br />
BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170<br />
Read of size 1 at addr ...<br />
The buggy address is located 0 bytes to the right of<br />
allocated 704-byte region<br />
Call Trace:<br />
crc32_le+0x115/0x170<br />
rxe_icrc_hdr.isra.0+0x226/0x300<br />
rxe_icrc_check+0x13f/0x3a0<br />
rxe_rcv+0x6e1/0x16e0<br />
rxe_udp_encap_recv+0x20a/0x320<br />
udp_queue_rcv_one_skb+0x7ed/0x12c0<br />
<br />
Subsequent packets with the same shape fault on unmapped memory and panic<br />
the kernel. The trigger requires only module load and "rdma link add"; no<br />
QP, no connection, and no authentication.<br />
<br />
Fix this by rejecting packets whose opcode has no rxe_opcode[] entry,<br />
detected via the zero mask or zero length, before any length arithmetic<br />
runs.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.8 (including) | 5.10.258 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.209 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.175 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.140 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.88 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.30 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 7.0.7 (excluding) |
| cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/006a3a5f75345c6a0dbf13fd3ee01406e93b6733
- https://git.kernel.org/stable/c/318787fa7193bd79691f2ebce4e80cb6abd0faef
- https://git.kernel.org/stable/c/4c6f86d85d03cdb33addce86aa69aa795ca6c47a
- https://git.kernel.org/stable/c/599cfdf44c1701c581cd4a21f1e1e03f8dc3840b
- https://git.kernel.org/stable/c/6a79b1ea0fcb2c998fda6a793050f66146e9cc42
- https://git.kernel.org/stable/c/6fa18025e5782afff91415fd5217b39c1e4837d7
- https://git.kernel.org/stable/c/e3dc3a2fb05f4ed49c7f20594c4c52350d032189
- https://git.kernel.org/stable/c/f8ee926431a7bbec2b10c1290664af2cb290b983



