Description
In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads

atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c
unconditionally dereferences 8 bytes at payload_addr(pkt):

value = *(u64 *)payload_addr(pkt);

check_rkey() previously accepted an ATOMIC_WRITE request with pktlen ==
resid == 0 because the length validation only compared pktlen against
resid. A remote initiator that sets the RETH length to 0 therefore reaches
atomic_write_reply() with a zero-byte logical payload, and the responder
reads sizeof(u64) bytes from past the logical end of the packet into
skb->head tailroom, then writes those 8 bytes into the attacker's MR via
rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel
tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).

IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is
protocol-invalid. Hoist a strict length check into check_rkey() so the
responder never reaches the unchecked dereference, and keep the existing
WRITE-family length logic for the normal RDMA WRITE path.

Reproduced on mainline with an unmodified rxe driver: a sustained
zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer
bytes into the attacker's MR, including recognisable kernel strings and
partial kernel-direct-map pointer words. With this patch applied the
responder rejects the PDU and the MR stays all-zero.
Published: 2026-05-28
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Linux kernel's rdma/rxe driver allows a remote initiator to send an ATOMIC_WRITE request with a zero‑byte logical payload. The responder dereferences 8 bytes at the end of the packet buffer regardless of the declared payload length, leaking 4 bytes of kernel tailroom per probe. An attacker can repeatedly send such probes to obtain recognizable kernel strings and partial kernel‑direct‑map pointer words, potentially aiding further exploitation or kernel exploitation tactics.

Affected Systems

The vulnerability applies to all Linux kernel builds that employ the rdma/rxe driver before the fix was applied. No specific kernel releases are enumerated in the CVE data; the patch was introduced at commit 105bf79a23b85cf3a761d18a4f3e10ce88526bc1.

Risk and Exploitability

The CVSS score is 7.5, EPSS is <1%, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires network access to an RDMA interface that accepts ATOMIC_WRITE operations. This limits the exploitable environment to RDMA traffic. The incident demonstrates a remote disclosure potential, with attackers able to leak kernel memory into their MR. Organizations that expose RDMA services to untrusted networks should treat this as a moderate to high risk pending patch deployment.

Generated by OpenCVE AI on May 30, 2026 at 13:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the system to a Linux kernel that includes the rxe_atomic_write fix committed at https://git.kernel.org/stable/c/105bf79a23b85cf3a761d18a4f3e10ce88526bc1 and verify that rxe supports ATOMIC_WRITE length checks.
  • Validate that no zero‑length ATOMIC_WRITE PDUs are accepted by using protocol‑level tests after applying the kernel update.
  • Restrict RDMA traffic to trusted hosts or firewall outbound RDMA traffic to mitigate accidental exposure.
  • If RDMA is not required, disable the rdma/rxe driver or the RDMA subsystem to eliminate the attack surface.

Generated by OpenCVE AI on May 30, 2026 at 13:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 29 May 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-200

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-130
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Thu, 28 May 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-200

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt): value = *(u64 *)payload_addr(pkt); check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC). IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path. Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words. With this patch applied the responder rejects the PDU and the MR stays all-zero.
Title RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:55:27.913Z

Reserved: 2026-05-13T15:03:33.098Z

Link: CVE-2026-46114

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:26.870

Modified: 2026-06-17T10:53:05.440

Link: CVE-2026-46114

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46114 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T13:15:24Z

Weaknesses
  • CWE-130

    Improper Handling of Length Parameter Inconsistency