CVE-2026-46114

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An issue exists in the RDMA rxe driver where the atomic write reply() function in drivers/infiniband/sw/rxe/rxe resp.c unconditionally dereferences 8 bytes from the payload addr(pkt). The check rkey() function previously allowed ATOMIC WRITE requests with a length of zero, enabling a remote initiator to trigger a read of 8 bytes beyond the logical end of the packet into the skb->head tailroom. This results in a remote disclosure of kernel tailroom data, including kernel strings and partial kernel-direct-map pointer words, which are then written into the attacker's Memory Region (MR) via rxe mr do atomic write().

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.