Description
In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv

rxe_rcv() currently checks only that the incoming packet is at least
header_size(pkt) bytes long before payload_size() is used.

However, payload_size() subtracts both the attacker-controlled BTH pad
field and RXE_ICRC_SIZE from pkt->paylen:

payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)
- RXE_ICRC_SIZE

This means a short packet can still make payload_size() underflow even
if it includes enough bytes for the fixed headers. Simply requiring
header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a
packet with a forged non-zero BTH pad can still leave payload_size()
negative and pass an underflowed value to later receive-path users.

Fix this by validating pkt->paylen against the full minimum length
required by payload_size(): header_size(pkt) + bth_pad(pkt) +
RXE_ICRC_SIZE.
Published: 2026-05-27
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel’s RDMA driver contains an integer underflow in the rxe_rcv function. When calculating payload size, the code subtracts the packet header length, a BTH pad size, and an ICRC field from the reported packet length. Because the packet length check only verifies that the packet is at least the size of the header, an attacker can send a packet shorter than the header plus pad/ICRC, causing the payload_size calculation to underflow to a large value. This underflow allows the receive path to access memory outside allocated bounds, leading to memory corruption or execution of arbitrary code. The flaw is classified under CWE-191.

Affected Systems

Any Linux kernel that includes the rxe RDMA module before the commit 2fd4f8b749309a61c3f3f88ee8891d94f79e1240. Systems that support RDMA over Converged Ethernet or InfiniBand with the rxe module loaded are vulnerable. No specific kernel version range was listed, so all older kernels lacking the fix are affected.

Risk and Exploitability

The flaw gives an attacker the ability to craft RDMA packets that are received by a target host. As this is a kernel memory bug, it can lead to privilege escalation or a kernel crash. The EPSS score is not available, and the CVSS score of 7.0 indicates high severity. The vulnerability is not listed in the CISA KEV catalog, yet the lack of external mitigation suggests a high risk if RDMA traffic is permitted. Administrators should treat this as a high‑risk remote code execution flaw, and immediate action is recommended.

Generated by OpenCVE AI on May 28, 2026 at 03:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the patch commit 2fd4f8b749309a61c3f3f88ee8891d94f79e1240
  • If an update cannot be applied immediately, unload or blacklist the rxe RDMA module to prevent the vulnerable code from executing
  • Block or restrict RDMA traffic from untrusted hosts using firewall rules or network segmentation to limit exposure

Generated by OpenCVE AI on May 28, 2026 at 03:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
CWE-364

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-191
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
CWE-364

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv rxe_rcv() currently checks only that the incoming packet is at least header_size(pkt) bytes long before payload_size() is used. However, payload_size() subtracts both the attacker-controlled BTH pad field and RXE_ICRC_SIZE from pkt->paylen: payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt) - RXE_ICRC_SIZE This means a short packet can still make payload_size() underflow even if it includes enough bytes for the fixed headers. Simply requiring header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a packet with a forged non-zero BTH pad can still leave payload_size() negative and pass an underflowed value to later receive-path users. Fix this by validating pkt->paylen against the full minimum length required by payload_size(): header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE.
Title RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:56:57.987Z

Reserved: 2026-05-13T15:03:33.094Z

Link: CVE-2026-46043

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:23.743

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46043

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46043 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T02:15:04Z

Weaknesses