RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-46114
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-28 10:16:26 UTC
Updated2026-05-30 11:17:21 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt): value = *(u64 *)payload_addr(pkt); check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC). IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path. Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words. With this patch applied the responder rejects the PDU and the MR stays all-zero.

Risk And Classification

Primary CVSS: v3.1 7.5 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS: 0.000520000 probability, percentile 0.166900000 (date 2026-05-29)

VersionSourceTypeScoreSeverityVector
3.1416baaa9-dc9f-4396-8d5f-8c081fb06d67Secondary7.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
3.1CNADECLARED7.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 034e285f8b99062a0cf29112e1232154a6a44aa5 539cabb7b2d8ba70f55bba91db55faef11c2a6d7 git Not specified
CNA Linux Linux affected 034e285f8b99062a0cf29112e1232154a6a44aa5 d415fce3fcde6d7aeea6c25362a395b905811452 git Not specified
CNA Linux Linux affected 034e285f8b99062a0cf29112e1232154a6a44aa5 105bf79a23b85cf3a761d18a4f3e10ce88526bc1 git Not specified
CNA Linux Linux affected 034e285f8b99062a0cf29112e1232154a6a44aa5 7ec1ed4747f5f99f8b797bb438c5efd36079fad5 git Not specified
CNA Linux Linux affected 034e285f8b99062a0cf29112e1232154a6a44aa5 1114c87aa6f195cf07da55a27b2122ae26557b26 git Not specified
CNA Linux Linux affected 6.2 Not specified
CNA Linux Linux unaffected 6.2 semver Not specified
CNA Linux Linux unaffected 6.6.140 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.88 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.30 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.7 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1-rc3 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/1114c87aa6f195cf07da55a27b2122ae26557b26 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/105bf79a23b85cf3a761d18a4f3e10ce88526bc1 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/7ec1ed4747f5f99f8b797bb438c5efd36079fad5 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/d415fce3fcde6d7aeea6c25362a395b905811452 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/539cabb7b2d8ba70f55bba91db55faef11c2a6d7 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report