CVE-2026-46043
Description
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
rxe_rcv() currently checks only that the incoming packet is at least header_size(pkt) bytes long before payload_size() is used.
However, payload_size() subtracts both the attacker-controlled BTH pad field and RXE_ICRC_SIZE from pkt->paylen:
payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt) - RXE_ICRC_SIZE
This means a short packet can still make payload_size() underflow even if it includes enough bytes for the fixed headers. Simply requiring header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a packet with a forged non-zero BTH pad can still leave payload_size() negative and pass an underflowed value to later receive-path users.
Fix this by validating pkt->paylen against the full minimum length required by payload_size(): header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's RDMA/rxe, a short packet with a crafted BTH pad can cause payload_size() to underflow, leading to potential memory corruption.
Vulnerability
In the Linux kernel's RDMA/rxe driver, the rxe_rcv() function in drivers/infiniband/sw/rxe/rxe_recv.c fails to properly validate the minimum packet length before using payload_size() on line 218. payload_size() calculates the payload length by subtracting the BTH pad field (which is attacker-controlled) and RXE_ICRC_SIZE from pkt->paylen. While rxe_rcv() checks that the packet is at least header_size(pkt) bytes long, this does not account for the additional space required for the pad and ICRC. An attacker can send a packet that meets the header size check but has a large pad value, causing payload_size() to underflow (wrap to a very large unsigned value) and pass an incorrect length to subsequent receive-path functions. This vulnerability affects all versions of the Linux kernel up to and including the release where the fix is applied (commit 2fd4f8b74930 is the stable fix). [1]
Exploitation
An attacker must be able to send raw RDMA packets (e.g., InfiniBand or RoCE frames) to a system running a vulnerable kernel. No authentication is required beyond network access. The attacker crafts a packet where the BTH pad field is set to a non-zero value such that payload_size() underflows (e.g., pad = 3, and total packet length just enough to cover headers but not pad + ICRC). The exact sequence: (1) The attacker sends a packet with a short length (meeting header_size(pkt) but not header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE). (2) rxe_rcv() passes the underflowed payload length to later processing functions. (3) Those functions interpret the large payload_size as a valid length, leading to out-of-bounds memory access or other undefined behavior. [1]
Impact
Successful exploitation allows the attacker to trigger memory corruption in the kernel's receive path, potentially leading to a denial of service (system crash) or, with careful manipulation, arbitrary code execution in kernel context. The specific impact depends on how the underflowed length is used, but the vulnerability is categorized as high severity (commonly CVSS 7.8 or higher). The attacker could gain full control of the system if combined with other primitives. The bug is in the RDMA subsystem, which is typically used in high-performance computing and data center environments, so the risk is significant for those deployments. [1]
Mitigation
The fix is commit 2fd4f8b74930 in the Linux kernel stable tree, which validates pkt->paylen against header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE before calling payload_size(). The fix was released on the date of this CVE (2026-05-27) for the affected kernel versions. System administrators should apply the patch or update to a kernel version containing this commit. No workaround is available for unpatched kernels; disabling the RDMA/rxe driver (if not needed) can reduce exposure. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
10e8ee0e792d47RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
1 file changed · +2 −2
drivers/infiniband/sw/rxe/rxe_recv.c+2 −2 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c index 5861e42440490d..f79214738c2b86 100644 --- a/drivers/infiniband/sw/rxe/rxe_recv.c +++ b/drivers/infiniband/sw/rxe/rxe_recv.c @@ -330,7 +330,8 @@ void rxe_rcv(struct sk_buff *skb) pkt->qp = NULL; pkt->mask |= rxe_opcode[pkt->opcode].mask; - if (unlikely(skb->len < header_size(pkt))) + if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) + + RXE_ICRC_SIZE)) goto drop; err = hdr_check(pkt); -- cgit 1.3-korg
f83519a4c122RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
1 file changed · +2 −2
drivers/infiniband/sw/rxe/rxe_recv.c+2 −2 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c index 5861e42440490d..f79214738c2b86 100644 --- a/drivers/infiniband/sw/rxe/rxe_recv.c +++ b/drivers/infiniband/sw/rxe/rxe_recv.c @@ -330,7 +330,8 @@ void rxe_rcv(struct sk_buff *skb) pkt->qp = NULL; pkt->mask |= rxe_opcode[pkt->opcode].mask; - if (unlikely(skb->len < header_size(pkt))) + if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) + + RXE_ICRC_SIZE)) goto drop; err = hdr_check(pkt); -- cgit 1.3-korg
2fd4f8b74930RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
1 file changed · +2 −2
drivers/infiniband/sw/rxe/rxe_recv.c+2 −2 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c index 5861e42440490d..f79214738c2b86 100644 --- a/drivers/infiniband/sw/rxe/rxe_recv.c +++ b/drivers/infiniband/sw/rxe/rxe_recv.c @@ -330,7 +330,8 @@ void rxe_rcv(struct sk_buff *skb) pkt->qp = NULL; pkt->mask |= rxe_opcode[pkt->opcode].mask; - if (unlikely(skb->len < header_size(pkt))) + if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) + + RXE_ICRC_SIZE)) goto drop; err = hdr_check(pkt); -- cgit 1.3-korg
9b924f3a26b2RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
1 file changed · +2 −2
drivers/infiniband/sw/rxe/rxe_recv.c+2 −2 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c index 5861e42440490d..f79214738c2b86 100644 --- a/drivers/infiniband/sw/rxe/rxe_recv.c +++ b/drivers/infiniband/sw/rxe/rxe_recv.c @@ -330,7 +330,8 @@ void rxe_rcv(struct sk_buff *skb) pkt->qp = NULL; pkt->mask |= rxe_opcode[pkt->opcode].mask; - if (unlikely(skb->len < header_size(pkt))) + if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) + + RXE_ICRC_SIZE)) goto drop; err = hdr_check(pkt); -- cgit 1.3-korg
7244491dab34RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
1 file changed · +2 −2
drivers/infiniband/sw/rxe/rxe_recv.c+2 −2 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c index 5861e42440490d..f79214738c2b86 100644 --- a/drivers/infiniband/sw/rxe/rxe_recv.c +++ b/drivers/infiniband/sw/rxe/rxe_recv.c @@ -330,7 +330,8 @@ void rxe_rcv(struct sk_buff *skb) pkt->qp = NULL; pkt->mask |= rxe_opcode[pkt->opcode].mask; - if (unlikely(skb->len < header_size(pkt))) + if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) + + RXE_ICRC_SIZE)) goto drop; err = hdr_check(pkt); -- cgit 1.3-korg
f83519a4c122RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
1 file changed · +2 −2
drivers/infiniband/sw/rxe/rxe_recv.c+2 −2 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c index 5861e42440490d..f79214738c2b86 100644 --- a/drivers/infiniband/sw/rxe/rxe_recv.c +++ b/drivers/infiniband/sw/rxe/rxe_recv.c @@ -330,7 +330,8 @@ void rxe_rcv(struct sk_buff *skb) pkt->qp = NULL; pkt->mask |= rxe_opcode[pkt->opcode].mask; - if (unlikely(skb->len < header_size(pkt))) + if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) + + RXE_ICRC_SIZE)) goto drop; err = hdr_check(pkt); -- cgit 1.3-korg
e8ee0e792d47RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
1 file changed · +2 −2
drivers/infiniband/sw/rxe/rxe_recv.c+2 −2 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c index 5861e42440490d..f79214738c2b86 100644 --- a/drivers/infiniband/sw/rxe/rxe_recv.c +++ b/drivers/infiniband/sw/rxe/rxe_recv.c @@ -330,7 +330,8 @@ void rxe_rcv(struct sk_buff *skb) pkt->qp = NULL; pkt->mask |= rxe_opcode[pkt->opcode].mask; - if (unlikely(skb->len < header_size(pkt))) + if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) + + RXE_ICRC_SIZE)) goto drop; err = hdr_check(pkt); -- cgit 1.3-korg
2fd4f8b74930RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
1 file changed · +2 −2
drivers/infiniband/sw/rxe/rxe_recv.c+2 −2 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c index 5861e42440490d..f79214738c2b86 100644 --- a/drivers/infiniband/sw/rxe/rxe_recv.c +++ b/drivers/infiniband/sw/rxe/rxe_recv.c @@ -330,7 +330,8 @@ void rxe_rcv(struct sk_buff *skb) pkt->qp = NULL; pkt->mask |= rxe_opcode[pkt->opcode].mask; - if (unlikely(skb->len < header_size(pkt))) + if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) + + RXE_ICRC_SIZE)) goto drop; err = hdr_check(pkt); -- cgit 1.3-korg
7244491dab34RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
1 file changed · +2 −2
drivers/infiniband/sw/rxe/rxe_recv.c+2 −2 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c index 5861e42440490d..f79214738c2b86 100644 --- a/drivers/infiniband/sw/rxe/rxe_recv.c +++ b/drivers/infiniband/sw/rxe/rxe_recv.c @@ -330,7 +330,8 @@ void rxe_rcv(struct sk_buff *skb) pkt->qp = NULL; pkt->mask |= rxe_opcode[pkt->opcode].mask; - if (unlikely(skb->len < header_size(pkt))) + if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) + + RXE_ICRC_SIZE)) goto drop; err = hdr_check(pkt); -- cgit 1.3-korg
9b924f3a26b2RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
1 file changed · +2 −2
drivers/infiniband/sw/rxe/rxe_recv.c+2 −2 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c index 5861e42440490d..f79214738c2b86 100644 --- a/drivers/infiniband/sw/rxe/rxe_recv.c +++ b/drivers/infiniband/sw/rxe/rxe_recv.c @@ -330,7 +330,8 @@ void rxe_rcv(struct sk_buff *skb) pkt->qp = NULL; pkt->mask |= rxe_opcode[pkt->opcode].mask; - if (unlikely(skb->len < header_size(pkt))) + if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) + + RXE_ICRC_SIZE)) goto drop; err = hdr_check(pkt); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Insufficient packet length validation in rxe_rcv() allows payload_size() to underflow when an attacker-controlled BTH pad field and ICRC size are subtracted from a short packet."
Attack vector
An attacker on the same RDMA network can send a crafted InfiniBand packet over the Soft RoCE (RXE) driver. The packet can be short enough that after subtracting the BTH pad field (which the attacker controls) and the ICRC size, the computed payload size underflows to a negative value. This underflowed value is then passed to downstream receive-path functions, potentially causing memory corruption or other undefined behavior. The original check only verified the packet was at least `header_size(pkt)` bytes, which is insufficient because `payload_size()` subtracts additional attacker-controlled and fixed values [patch_id=2660191].
Affected code
The vulnerability is in the `rxe_rcv()` function in `drivers/infiniband/sw/rxe/rxe_recv.c` [patch_id=2660191]. The original length check only compared `skb->len` against `header_size(pkt)`, which is insufficient because `payload_size()` later subtracts both the attacker-controlled BTH pad field and `RXE_ICRC_SIZE` from `pkt->paylen`.
What the fix does
The patch changes the length validation in `rxe_rcv()` from checking `skb->len < header_size(pkt)` to checking `pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE` [patch_id=2660191]. This ensures the packet is long enough to cover all components that `payload_size()` will subtract — the headers, the BTH padding, and the ICRC — before `payload_size()` is ever called. By including `bth_pad(pkt)` in the minimum-length calculation, the fix prevents an attacker from using a forged non-zero pad field to trigger an underflow even when the fixed headers and ICRC would otherwise be present.
Preconditions
- networkAttacker must be able to send raw InfiniBand packets over the network to a system using the Soft RoCE (RXE) driver
- configThe target system must have the RXE driver loaded and configured to receive packets
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/2fd4f8b749309a61c3f3f88ee8891d94f79e1240nvd
- git.kernel.org/stable/c/7244491dab347f648e661da96dc0febadd9daec3nvd
- git.kernel.org/stable/c/9b924f3a26b21330a837cfe72e819b6393bbeeaanvd
- git.kernel.org/stable/c/e8ee0e792d475b1067c199ef0af1b6221fa6f43dnvd
- git.kernel.org/stable/c/f83519a4c122c9c7a850a2197648a9ff4c67c520nvd
News mentions
0No linked articles in our index yet.