Description
In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads

atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c
unconditionally dereferences 8 bytes at payload_addr(pkt):

value = *(u64 *)payload_addr(pkt);

check_rkey() previously accepted an ATOMIC_WRITE request with pktlen ==
resid == 0 because the length validation only compared pktlen against
resid. A remote initiator that sets the RETH length to 0 therefore reaches
atomic_write_reply() with a zero-byte logical payload, and the responder
reads sizeof(u64) bytes from past the logical end of the packet into
skb->head tailroom, then writes those 8 bytes into the attacker's MR via
rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel
tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).

IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is
protocol-invalid. Hoist a strict length check into check_rkey() so the
responder never reaches the unchecked dereference, and keep the existing
WRITE-family length logic for the normal RDMA WRITE path.

Reproduced on mainline with an unmodified rxe driver: a sustained
zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer
bytes into the attacker's MR, including recognisable kernel strings and
partial kernel-direct-map pointer words. With this patch applied the
responder rejects the PDU and the MR stays all-zero.
Published: 2026-05-28
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Linux kernel's rdma/rxe driver allows a remote initiator to send an ATOMIC_WRITE request with a zero‑byte logical payload. The responder dereferences 8 bytes at the end of the packet buffer regardless of the declared payload length, leaking 4 bytes of kernel tailroom per probe. An attacker can repeatedly send such probes to obtain recognizable kernel strings and partial kernel‑direct‑map pointer words, potentially aiding further exploitation or kernel exploitation tactics.

Affected Systems

The vulnerability applies to all Linux kernel builds that employ the rdma/rxe driver before the fix was applied. No specific kernel releases are enumerated in the CVE data; the patch was introduced at commit 105bf79a23b85cf3a761d18a4f3e10ce88526bc1.

Risk and Exploitability

The attack vector requires network access to an RDMA interface that accepts ATOMIC_WRITE operations. While the CVSS, EPSS, and KEV metrics are unavailable, the incident demonstrates a remote disclosure potential; the exploitable environment is limited to RDMA traffic. Organizations that expose RDMA services to untrusted networks should treat this as a moderate to high risk pending patch deployment.

Generated by OpenCVE AI on May 28, 2026 at 11:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the system to a Linux kernel that includes the rxe_atomic_write fix committed at https://git.kernel.org/stable/c/105bf79a23b85cf3a761d18a4f3e10ce88526bc1 and verify that rxe supports ATOMIC_WRITE length checks.
  • Validate that no zero‑length ATOMIC_WRITE PDUs are accepted by using protocol‑level tests after applying the kernel update.
  • Restrict RDMA traffic to trusted hosts or firewall outbound RDMA traffic to mitigate accidental exposure.
  • If RDMA is not required, disable the rdma/rxe driver or the RDMA subsystem to eliminate the attack surface.

Generated by OpenCVE AI on May 28, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-200

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt): value = *(u64 *)payload_addr(pkt); check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC). IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path. Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words. With this patch applied the responder rejects the PDU and the MR stays all-zero.
Title RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-28T09:35:24.638Z

Reserved: 2026-05-13T15:03:33.098Z

Link: CVE-2026-46114

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-28T10:16:26.870

Modified: 2026-05-28T10:16:26.870

Link: CVE-2026-46114

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T11:30:15Z

Weaknesses