RDMA/rxe: Reject unknown opcodes before ICRC processing

Summary

CVE	CVE-2026-46133
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-28 10:16:28 UTC
Updated	2026-06-01 17:17:28 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject unknown opcodes before ICRC processing Even after applying commit 7244491dab34 ("RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv"), a single unauthenticated UDP packet can still trigger panic. That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode. The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver. The check added there reads pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE where header_size(pkt) expands to rxe_opcode[pkt->opcode].length. The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE which does not constrain pkt->paylen enough. rxe_icrc_hdr() then computes rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload. Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after rdma link add rxe0 type rxe netdev eth0 A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers: BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170 Read of size 1 at addr ... The buggy address is located 0 bytes to the right of allocated 704-byte region Call Trace: crc32_le+0x115/0x170 rxe_icrc_hdr.isra.0+0x226/0x300 rxe_icrc_check+0x13f/0x3a0 rxe_rcv+0x6e1/0x16e0 rxe_udp_encap_recv+0x20a/0x320 udp_queue_rcv_one_skb+0x7ed/0x12c0 Subsequent packets with the same shape fault on unmapped memory and panic the kernel. The trigger requires only module load and "rdma link add"; no QP, no connection, and no authentication. Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.

Risk And Classification

Primary CVSS: v3.1 7.5 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS: 0.001030000 probability, percentile 0.277210000 (date 2026-06-04)

Version	Source	Type	Score	Severity	Vector
3.1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	Secondary	7.5	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
3.1	CNA	DECLARED	7.5	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

CVSS v3.1 Breakdown

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 8700e3e7c4857d28ebaa824509934556da0b3e76 318787fa7193bd79691f2ebce4e80cb6abd0faef git	Not specified
CNA	Linux	Linux	affected 8700e3e7c4857d28ebaa824509934556da0b3e76 6a79b1ea0fcb2c998fda6a793050f66146e9cc42 git	Not specified
CNA	Linux	Linux	affected 8700e3e7c4857d28ebaa824509934556da0b3e76 599cfdf44c1701c581cd4a21f1e1e03f8dc3840b git	Not specified
CNA	Linux	Linux	affected 8700e3e7c4857d28ebaa824509934556da0b3e76 e3dc3a2fb05f4ed49c7f20594c4c52350d032189 git	Not specified
CNA	Linux	Linux	affected 8700e3e7c4857d28ebaa824509934556da0b3e76 f8ee926431a7bbec2b10c1290664af2cb290b983 git	Not specified
CNA	Linux	Linux	affected 8700e3e7c4857d28ebaa824509934556da0b3e76 006a3a5f75345c6a0dbf13fd3ee01406e93b6733 git	Not specified
CNA	Linux	Linux	affected 8700e3e7c4857d28ebaa824509934556da0b3e76 6fa18025e5782afff91415fd5217b39c1e4837d7 git	Not specified
CNA	Linux	Linux	affected 8700e3e7c4857d28ebaa824509934556da0b3e76 4c6f86d85d03cdb33addce86aa69aa795ca6c47a git	Not specified
CNA	Linux	Linux	affected 4.8	Not specified
CNA	Linux	Linux	unaffected 4.8 semver	Not specified
CNA	Linux	Linux	unaffected 5.10.258 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.209 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.175 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.140 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.88 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.30 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.7 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1-rc3 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/599cfdf44c1701c581cd4a21f1e1e03f8dc3840b	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/4c6f86d85d03cdb33addce86aa69aa795ca6c47a	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/6a79b1ea0fcb2c998fda6a793050f66146e9cc42	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/6fa18025e5782afff91415fd5217b39c1e4837d7	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/f8ee926431a7bbec2b10c1290664af2cb290b983	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/e3dc3a2fb05f4ed49c7f20594c4c52350d032189	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/318787fa7193bd79691f2ebce4e80cb6abd0faef	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/006a3a5f75345c6a0dbf13fd3ee01406e93b6733	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.