Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-46133

Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-125 Lectura fuera de límites
Fecha de publicación:
28/05/2026
Última modificación:
24/06/2026

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/rxe: Reject unknown opcodes before ICRC processing<br /> <br /> Even after applying commit 7244491dab34 ("RDMA/rxe: Validate pad and ICRC<br /> before payload_size() in rxe_rcv"), a single unauthenticated UDP packet<br /> can still trigger panic. That patch handled payload_size() underflow only<br /> for valid opcodes with short packets, not for packets carrying an unknown<br /> opcode. The unknown-opcode OOB read described below predates that commit<br /> and reaches back to the initial Soft RoCE driver.<br /> <br /> The check added there reads<br /> <br /> pkt-&gt;paylen opcode].length. The<br /> rxe_opcode[] array has 256 entries but is only populated for defined IB<br /> opcodes; any other entry (for example opcode 0xff) is zero-initialized, so<br /> length == 0 and the check degenerates to<br /> <br /> pkt-&gt;paylen paylen enough. rxe_icrc_hdr() then computes<br /> <br /> rxe_opcode[pkt-&gt;opcode].length - RXE_BTH_BYTES<br /> <br /> which underflows when length == 0 and passes a huge value to rxe_crc32(),<br /> causing an out-of-bounds read of the skb payload.<br /> <br /> Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with<br /> CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after<br /> <br /> rdma link add rxe0 type rxe netdev eth0<br /> <br /> A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and<br /> QPN=IB_MULTICAST_QPN triggers:<br /> <br /> BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170<br /> Read of size 1 at addr ...<br /> The buggy address is located 0 bytes to the right of<br /> allocated 704-byte region<br /> Call Trace:<br /> crc32_le+0x115/0x170<br /> rxe_icrc_hdr.isra.0+0x226/0x300<br /> rxe_icrc_check+0x13f/0x3a0<br /> rxe_rcv+0x6e1/0x16e0<br /> rxe_udp_encap_recv+0x20a/0x320<br /> udp_queue_rcv_one_skb+0x7ed/0x12c0<br /> <br /> Subsequent packets with the same shape fault on unmapped memory and panic<br /> the kernel. The trigger requires only module load and "rdma link add"; no<br /> QP, no connection, and no authentication.<br /> <br /> Fix this by rejecting packets whose opcode has no rxe_opcode[] entry,<br /> detected via the zero mask or zero length, before any length arithmetic<br /> runs.

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.8 (incluyendo) 5.10.258 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (incluyendo) 5.15.209 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (incluyendo) 6.1.175 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (incluyendo) 6.6.140 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (incluyendo) 6.12.88 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (incluyendo) 6.18.30 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (incluyendo) 7.0.7 (excluyendo)
cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*