PT-2026-44256 · Linux · Linux

Published

2026-05-28

·

Updated

2026-05-28

·

CVE-2026-46133

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Reject unknown opcodes before ICRC processing
Even after applying commit 7244491dab34 ("RDMA/rxe: Validate pad and ICRC before payload size() in rxe rcv"), a single unauthenticated UDP packet can still trigger panic. That patch handled payload size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode. The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.
The check added there reads
pkt->paylen < header size(pkt) + bth pad(pkt) + RXE ICRC SIZE
where header size(pkt) expands to rxe opcode[pkt->opcode].length. The rxe opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to
pkt->paylen < 0 + bth pad(pkt) + RXE ICRC SIZE
which does not constrain pkt->paylen enough. rxe icrc hdr() then computes
rxe opcode[pkt->opcode].length - RXE BTH BYTES
which underflows when length == 0 and passes a huge value to rxe crc32(), causing an out-of-bounds read of the skb payload.
Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG RDMA RXE=y and CONFIG KASAN=y, after
rdma link add rxe0 type rxe netdev eth0
A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB MULTICAST QPN triggers:
BUG: KASAN: slab-out-of-bounds in crc32 le+0x115/0x170 Read of size 1 at addr ... The buggy address is located 0 bytes to the right of allocated 704-byte region Call Trace: crc32 le+0x115/0x170 rxe icrc hdr.isra.0+0x226/0x300 rxe icrc check+0x13f/0x3a0 rxe rcv+0x6e1/0x16e0 rxe udp encap recv+0x20a/0x320 udp queue rcv one skb+0x7ed/0x12c0
Subsequent packets with the same shape fault on unmapped memory and panic the kernel. The trigger requires only module load and "rdma link add"; no QP, no connection, and no authentication.
Fix this by rejecting packets whose opcode has no rxe opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.

Related Identifiers

CVE-2026-46133

Affected Products

Linux