RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv

rxe_rcv() currently checks only that the incoming packet is at least
header_size(pkt) bytes long before payload_size() is used.

However, payload_size() subtracts both the attacker-controlled BTH pad
field and RXE_ICRC_SIZE from pkt->paylen:

payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)
- RXE_ICRC_SIZE

This means a short packet can still make payload_size() underflow even
if it includes enough bytes for the fixed headers. Simply requiring
header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a
packet with a forged non-zero BTH pad can still leave payload_size()
negative and pass an underflowed value to later receive-path users.

Fix this by validating pkt->paylen against the full minimum length
required by payload_size(): header_size(pkt) + bth_pad(pkt) +
RXE_ICRC_SIZE.

Basic Information

ID CVE-2026-46043

Source Linux

Published May 27, 2026 at 12:56

Modified May 30, 2026 at 10:46

Affected Product

Vendor Linux

Product Linux

Version 8700e3e7c4857d28ebaa824509934556da0b3e76

Affected Versions Linux Linux 8700e3e7c4857d28ebaa824509934556da0b3e76
Linux Linux 8700e3e7c4857d28ebaa824509934556da0b3e76
Linux Linux 8700e3e7c4857d28ebaa824509934556da0b3e76
Linux Linux 8700e3e7c4857d28ebaa824509934556da0b3e76
Linux Linux 8700e3e7c4857d28ebaa824509934556da0b3e76
Linux Linux 4.8

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\n\nrxe_rcv() currently checks only that the incoming packet is at least\nheader_size(pkt) bytes long before payload_size() is used.\n\nHowever, payload_size() subtracts both the attacker-controlled BTH pad\nfield and RXE_ICRC_SIZE from pkt->paylen:\n\n  payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)\n                 - RXE_ICRC_SIZE\n\nThis means a short packet can still make payload_size() underflow even\nif it includes enough bytes for the fixed headers. Simply requiring\nheader_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a\npacket with a forged non-zero BTH pad can still leave payload_size()\nnegative and pass an underflowed value to later receive-path users.\n\nFix this by validating pkt->paylen against the full minimum length\nrequired by payload_size(): header_size(pkt) + bth_pad(pkt) +\nRXE_ICRC_SIZE.",
    "published": "2026-05-27T12:56:57.987Z",
    "modified": "2026-05-30T10:46:56.646Z",
    "type": "cve",
    "title": "RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/2fd4f8b749309a61c3f3f88ee8891d94f79e1240\nhttps://git.kernel.org/stable/c/f83519a4c122c9c7a850a2197648a9ff4c67c520\nhttps://git.kernel.org/stable/c/9b924f3a26b21330a837cfe72e819b6393bbeeaa\nhttps://git.kernel.org/stable/c/e8ee0e792d475b1067c199ef0af1b6221fa6f43d\nhttps://git.kernel.org/stable/c/7244491dab347f648e661da96dc0febadd9daec3",
    "id": "CVE-2026-46043",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 8700e3e7c4857d28ebaa824509934556da0b3e76\nLinux Linux 8700e3e7c4857d28ebaa824509934556da0b3e76\nLinux Linux 8700e3e7c4857d28ebaa824509934556da0b3e76\nLinux Linux 8700e3e7c4857d28ebaa824509934556da0b3e76\nLinux Linux 8700e3e7c4857d28ebaa824509934556da0b3e76\nLinux Linux 4.8",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv_CVE-2026-46043

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply