In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Reject unknown opcodes before ICRC processing
Even after applying commit 7244491dab34 ("RDMA/rxe: Validate pad and ICRC
before payload_size() in rxe_rcv"), a single unauthenticated UDP packet
can still trigger panic. That patch handled payload_size() underflow only
for valid opcodes with short packets, not for packets carrying an unknown
opcode. The unknown-opcode OOB read described below predates that commit
and reaches back to the initial Soft RoCE driver.
The check added there reads
pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE
where header_size(pkt) expands to rxe_opcode[pkt->opcode].length. The
rxe_opcode[] array has 256 entries but is only populated for defined IB
opcodes; any other entry (for example opcode 0xff) is zero-initialized, so
length == 0 and the check degenerates to
pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE
which does not constrain pkt->paylen enough. rxe_icrc_hdr() then computes
rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES
which underflows when length == 0 and passes a huge value to rxe_crc32(),
causing an out-of-bounds read of the skb payload.
Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with
CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after
rdma link add rxe0 type rxe netdev eth0
A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and
QPN=IB_MULTICAST_QPN triggers:
BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170
Read of size 1 at addr ...
The buggy address is located 0 bytes to the right of
allocated 704-byte region
Call Trace:
crc32_le+0x115/0x170
rxe_icrc_hdr.isra.0+0x226/0x300
rxe_icrc_check+0x13f/0x3a0
rxe_rcv+0x6e1/0x16e0
rxe_udp_encap_recv+0x20a/0x320
udp_queue_rcv_one_skb+0x7ed/0x12c0
Subsequent packets with the same shape fault on unmapped memory and panic
the kernel. The trigger requires only module load and "rdma link add"; no
QP, no connection, and no authentication.
Fix this by rejecting packets whose opcode has no rxe_opcode[] entry,
detected via the zero mask or zero length, before any length arithmetic
runs.
References
Configurations
Configuration 1 (hide)
|
History
24 Jun 2026, 17:50
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-125 | |
| CPE | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* |
|
| First Time |
Linux linux Kernel
Linux |
|
| References | () https://git.kernel.org/stable/c/006a3a5f75345c6a0dbf13fd3ee01406e93b6733 - Patch | |
| References | () https://git.kernel.org/stable/c/318787fa7193bd79691f2ebce4e80cb6abd0faef - Patch | |
| References | () https://git.kernel.org/stable/c/4c6f86d85d03cdb33addce86aa69aa795ca6c47a - Patch | |
| References | () https://git.kernel.org/stable/c/599cfdf44c1701c581cd4a21f1e1e03f8dc3840b - Patch | |
| References | () https://git.kernel.org/stable/c/6a79b1ea0fcb2c998fda6a793050f66146e9cc42 - Patch | |
| References | () https://git.kernel.org/stable/c/6fa18025e5782afff91415fd5217b39c1e4837d7 - Patch | |
| References | () https://git.kernel.org/stable/c/e3dc3a2fb05f4ed49c7f20594c4c52350d032189 - Patch | |
| References | () https://git.kernel.org/stable/c/f8ee926431a7bbec2b10c1290664af2cb290b983 - Patch |
01 Jun 2026, 17:17
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
30 May 2026, 11:17
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
28 May 2026, 10:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-28 10:16
Updated : 2026-06-24 17:50
NVD link : CVE-2026-46133
Mitre link : CVE-2026-46133
CVE.ORG link : CVE-2026-46133
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-125
Out-of-bounds Read
