CVE-2026-46043
published 2026-05-27CVE-2026-46043: In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv rxe_rcv() currently checks…
critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
rxe_rcv() currently checks only that the incoming packet is at least
header_size(pkt) bytes long before payload_size() is used.
However, payload_size() subtracts both the attacker-controlled BTH pad
field and RXE_ICRC_SIZE from pkt->paylen:
payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)
- RXE_ICRC_SIZE
This means a short packet can still make payload_size() underflow even
if it includes enough bytes for the fixed headers. Simply requiring
header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a
packet with a forged non-zero BTH pad can still leave payload_size()
negative and pass an underflowed value to later receive-path users.
Fix this by validating pkt->paylen against the full minimum length
required by payload_size(): header_size(pkt) + bth_pad(pkt) +
RXE_ICRC_SIZE.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux | — | — |
| linux | linux | >= 8700e3e7c4857d28ebaa824509934556da0b3e76 < c4376c672c3648d5bdc31dfffc329d07164f93c4 | c4376c672c3648d5bdc31dfffc329d07164f93c4 |
| linux | linux | >= 8700e3e7c4857d28ebaa824509934556da0b3e76 < 5fedefec757192dcaad29a664ac332c7601be144 | 5fedefec757192dcaad29a664ac332c7601be144 |
| linux | linux | >= 8700e3e7c4857d28ebaa824509934556da0b3e76 < 2c0d71ef12f46c57d37bc571f3f2797db7eb50cc | 2c0d71ef12f46c57d37bc571f3f2797db7eb50cc |
| linux | linux | >= 8700e3e7c4857d28ebaa824509934556da0b3e76 < 2fd4f8b749309a61c3f3f88ee8891d94f79e1240 | 2fd4f8b749309a61c3f3f88ee8891d94f79e1240 |
| linux | linux | >= 8700e3e7c4857d28ebaa824509934556da0b3e76 < f83519a4c122c9c7a850a2197648a9ff4c67c520 | f83519a4c122c9c7a850a2197648a9ff4c67c520 |
| linux | linux | >= 8700e3e7c4857d28ebaa824509934556da0b3e76 < 9b924f3a26b21330a837cfe72e819b6393bbeeaa | 9b924f3a26b21330a837cfe72e819b6393bbeeaa |
| linux | linux | >= 8700e3e7c4857d28ebaa824509934556da0b3e76 < e8ee0e792d475b1067c199ef0af1b6221fa6f43d | e8ee0e792d475b1067c199ef0af1b6221fa6f43d |
| linux | linux | >= 8700e3e7c4857d28ebaa824509934556da0b3e76 < 7244491dab347f648e661da96dc0febadd9daec3 | 7244491dab347f648e661da96dc0febadd9daec3 |
| linux | linux_kernel | — | — |