Skip to main content

Linux Kernel CVE-2026-46133

| EUVDEUVD-2026-32760 HIGH
Out-of-bounds Read (CWE-125)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-gvjm-hrcm-hvm6
7.5
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:54 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.5 (HIGH)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Reject unknown opcodes before ICRC processing

Even after applying commit 7244491dab34 ("RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv"), a single unauthenticated UDP packet can still trigger panic. That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode. The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.

The check added there reads

pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE

where header_size(pkt) expands to rxe_opcode[pkt->opcode].length. The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to

pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE

which does not constrain pkt->paylen enough. rxe_icrc_hdr() then computes

rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES

which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.

Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after

rdma link add rxe0 type rxe netdev eth0

A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:

BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170 Read of size 1 at addr ... The buggy address is located 0 bytes to the right of allocated 704-byte region Call Trace: crc32_le+0x115/0x170 rxe_icrc_hdr.isra.0+0x226/0x300 rxe_icrc_check+0x13f/0x3a0 rxe_rcv+0x6e1/0x16e0 rxe_udp_encap_recv+0x20a/0x320 udp_queue_rcv_one_skb+0x7ed/0x12c0

Subsequent packets with the same shape fault on unmapped memory and panic the kernel. The trigger requires only module load and "rdma link add"; no QP, no connection, and no authentication.

Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.

AnalysisAI

Remote denial-of-service in the Linux kernel's Soft RoCE (RDMA/rxe) driver allows unauthenticated attackers to crash the kernel by sending a single crafted 48-byte UDP packet to port 4791 with an undefined BTH opcode. The flaw triggers an out-of-bounds read in rxe_icrc_hdr() via crc32_le() due to zero-initialized rxe_opcode[] entries causing arithmetic underflow, panicking the host with no public exploit identified at time of analysis though EPSS is very low at 0.03%.

Technical ContextAI

The vulnerability resides in the Soft RoCE (RXE) driver (drivers/infiniband/sw/rxe), which implements RDMA over Converged Ethernet in software, encapsulating InfiniBand Base Transport Header (BTH) packets over UDP port 4791. The rxe_opcode[] lookup table is sized for 256 possible opcode values but only populated for defined IB opcodes, leaving undefined entries (e.g., 0xff) zero-initialized. When rxe_icrc_hdr() computes 'rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES' on an unknown opcode, the unsigned subtraction underflows to a huge value passed to rxe_crc32(), producing a slab-out-of-bounds read - a classic CWE-125 (Out-of-bounds Read) / CWE-191 (Integer Underflow) defect. This regression bypasses the earlier mitigation in commit 7244491dab34 which only validated short packets for known opcodes.

RemediationAI

Vendor-released patches are available: upgrade to Linux kernel 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3 or later, applying the relevant stable backport from https://git.kernel.org/stable/c/006a3a5f75345c6a0dbf13fd3ee01406e93b6733 (or the sibling commits 4c6f86d8, 6fa18025, e3dc3a2f, f8ee9264 for the respective stable branches). If immediate patching is not feasible, unload the rxe module ('modprobe -r rdma_rxe') or refrain from creating rxe links with 'rdma link add ... type rxe', which fully eliminates the attack surface at the cost of losing Soft RoCE functionality. Network-layer mitigations include blocking inbound UDP port 4791 at perimeter and host firewalls (iptables/nftables) for any interface not requiring RoCE - note this breaks legitimate RoCE traffic on that interface. Restricting rxe to trusted management networks via segmentation is an alternative for environments that require the feature.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46133 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy