CVE-2026-46133

Summary

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Reject unknown opcodes before ICRC processing

Even after applying commit 7244491dab34 ("RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv"), a single unauthenticated UDP packet can still trigger panic. That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode. The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.

The check added there reads

pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE

where header_size(pkt) expands to rxe_opcode[pkt->opcode].length. The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to

pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE

which does not constrain pkt->paylen enough. rxe_icrc_hdr() then computes

rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES

which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.

Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after

rdma link add rxe0 type rxe netdev eth0

A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:

BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170
Read of size 1 at addr ...
The buggy address is located 0 bytes to the right of
 allocated 704-byte region
Call Trace:
 crc32_le+0x115/0x170
 rxe_icrc_hdr.isra.0+0x226/0x300
 rxe_icrc_check+0x13f/0x3a0
 rxe_rcv+0x6e1/0x16e0
 rxe_udp_encap_recv+0x20a/0x320
 udp_queue_rcv_one_skb+0x7ed/0x12c0

Subsequent packets with the same shape fault on unmapped memory and panic the kernel. The trigger requires only module load and "rdma link add"; no QP, no connection, and no authentication.

Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux8700e3e7c4857d28ebaa824509934556da0b3e76 < 318787fa7193bd79691f2ebce4e80cb6abd0faefaffected
LinuxLinux8700e3e7c4857d28ebaa824509934556da0b3e76 < 6a79b1ea0fcb2c998fda6a793050f66146e9cc42affected
LinuxLinux8700e3e7c4857d28ebaa824509934556da0b3e76 < 599cfdf44c1701c581cd4a21f1e1e03f8dc3840baffected
LinuxLinux8700e3e7c4857d28ebaa824509934556da0b3e76 < e3dc3a2fb05f4ed49c7f20594c4c52350d032189affected
LinuxLinux8700e3e7c4857d28ebaa824509934556da0b3e76 < f8ee926431a7bbec2b10c1290664af2cb290b983affected
LinuxLinux8700e3e7c4857d28ebaa824509934556da0b3e76 < 006a3a5f75345c6a0dbf13fd3ee01406e93b6733affected
LinuxLinux8700e3e7c4857d28ebaa824509934556da0b3e76 < 6fa18025e5782afff91415fd5217b39c1e4837d7affected
LinuxLinux8700e3e7c4857d28ebaa824509934556da0b3e76 < 4c6f86d85d03cdb33addce86aa69aa795ca6c47aaffected
LinuxLinux4.8affected
LinuxLinux0 < 4.8unaffected
LinuxLinux5.10.258 <= 5.10.*unaffected
LinuxLinux5.15.209 <= 5.15.*unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.140 <= 6.6.*unaffected
LinuxLinux6.12.88 <= 6.12.*unaffected
LinuxLinux6.18.30 <= 6.18.*unaffected
LinuxLinux7.0.7 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References