Skip to main content

Linux Kernel EUVDEUVD-2026-32425

| CVE-2026-46043 CRITICAL
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-ww3w-m544-ppj6
Critical
Disputed · 9.1 Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.0 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:39 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
9.1 (CRITICAL)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
CRITICAL 9.1
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv

rxe_rcv() currently checks only that the incoming packet is at least header_size(pkt) bytes long before payload_size() is used.

However, payload_size() subtracts both the attacker-controlled BTH pad field and RXE_ICRC_SIZE from pkt->paylen:

payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)

  • RXE_ICRC_SIZE

This means a short packet can still make payload_size() underflow even if it includes enough bytes for the fixed headers. Simply requiring header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a packet with a forged non-zero BTH pad can still leave payload_size() negative and pass an underflowed value to later receive-path users.

Fix this by validating pkt->paylen against the full minimum length required by payload_size(): header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE.

AnalysisAI

Remote denial of service and potential memory corruption in the Linux kernel's RDMA Software RoCE (rxe) driver allows network attackers to send malformed RDMA packets that bypass length validation in rxe_rcv(). Affected systems with the rxe module loaded and reachable on the network can experience integer underflow in payload_size() due to an attacker-controlled BTH pad field, leading to negative values being passed to downstream receive-path handlers. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the CVSS 9.1 rating reflects the unauthenticated network attack surface where rxe is exposed.

Technical ContextAI

The vulnerability lives in drivers/infiniband/sw/rxe, the Soft RoCE (RDMA over Converged Ethernet) implementation that emulates an RDMA NIC in software over a standard Ethernet interface. The rxe_rcv() function processes incoming RoCE packets and validates that the buffer is at least header_size(pkt) long before invoking payload_size(), which computes the payload as pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt) - RXE_ICRC_SIZE. Because the BTH (Base Transport Header) pad field is attacker-controlled and RXE_ICRC_SIZE is a fixed 4-byte trailer, a short packet with a forged non-zero pad value causes the subtraction to underflow into a large unsigned (or negative signed) value. The CWE is not officially assigned, but the bug pattern corresponds to CWE-191 (Integer Underflow) and CWE-1284 (Improper Validation of Specified Quantity in Input), and downstream consumers of the underflowed length may read out-of-bounds or process bogus payload lengths.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 (or later) depending on the stable series in use, with patches available at https://git.kernel.org/stable/c/2fd4f8b749309a61c3f3f88ee8891d94f79e1240 and the four sibling commits listed in the references. Distribution-shipped kernels should be updated once the corresponding RHEL, Ubuntu, SUSE, or Debian advisories pick up these stable backports. As an immediate compensating control on systems that do not require Soft RoCE, unload and blacklist the rdma_rxe module (modprobe -r rdma_rxe; echo 'blacklist rdma_rxe' > /etc/modprobe.d/blacklist-rxe.conf), which fully removes the vulnerable code path at the cost of breaking any application relying on software RDMA. If rxe is required, restrict the interface it is bound to via host firewall rules (e.g., drop RoCEv2 UDP/4791 from untrusted networks) to limit the reachable attack surface, accepting that this does not protect from a compromised peer on the same RDMA fabric.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32425 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy