RDMA/rxe: Reject unknown opcodes before ICRC processing

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-46133
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-28 10:16:28 UTC
Updated2026-05-28 13:44:01 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject unknown opcodes before ICRC processing Even after applying commit 7244491dab34 ("RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv"), a single unauthenticated UDP packet can still trigger panic. That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode. The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver. The check added there reads pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE where header_size(pkt) expands to rxe_opcode[pkt->opcode].length. The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE which does not constrain pkt->paylen enough. rxe_icrc_hdr() then computes rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload. Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after rdma link add rxe0 type rxe netdev eth0 A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers: BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170 Read of size 1 at addr ... The buggy address is located 0 bytes to the right of allocated 704-byte region Call Trace: crc32_le+0x115/0x170 rxe_icrc_hdr.isra.0+0x226/0x300 rxe_icrc_check+0x13f/0x3a0 rxe_rcv+0x6e1/0x16e0 rxe_udp_encap_recv+0x20a/0x320 udp_queue_rcv_one_skb+0x7ed/0x12c0 Subsequent packets with the same shape fault on unmapped memory and panic the kernel. The trigger requires only module load and "rdma link add"; no QP, no connection, and no authentication. Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 8700e3e7c4857d28ebaa824509934556da0b3e76 e3dc3a2fb05f4ed49c7f20594c4c52350d032189 git Not specified
CNA Linux Linux affected 8700e3e7c4857d28ebaa824509934556da0b3e76 f8ee926431a7bbec2b10c1290664af2cb290b983 git Not specified
CNA Linux Linux affected 8700e3e7c4857d28ebaa824509934556da0b3e76 006a3a5f75345c6a0dbf13fd3ee01406e93b6733 git Not specified
CNA Linux Linux affected 8700e3e7c4857d28ebaa824509934556da0b3e76 6fa18025e5782afff91415fd5217b39c1e4837d7 git Not specified
CNA Linux Linux affected 8700e3e7c4857d28ebaa824509934556da0b3e76 4c6f86d85d03cdb33addce86aa69aa795ca6c47a git Not specified
CNA Linux Linux affected 4.8 Not specified
CNA Linux Linux unaffected 4.8 semver Not specified
CNA Linux Linux unaffected 6.6.140 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.88 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.30 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.7 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1-rc3 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/4c6f86d85d03cdb33addce86aa69aa795ca6c47a 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/6fa18025e5782afff91415fd5217b39c1e4837d7 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/f8ee926431a7bbec2b10c1290664af2cb290b983 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/e3dc3a2fb05f4ed49c7f20594c4c52350d032189 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/006a3a5f75345c6a0dbf13fd3ee01406e93b6733 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report