Skip to main content

Linux Kernel EUVDEUVD-2026-32873

| CVE-2026-46114 HIGH
NULL Pointer Dereference (CWE-476)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-pv35-9gqp-7q2c
7.5
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:50 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.5 (HIGH)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads

atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):

value = *(u64 *)payload_addr(pkt);

check_rkey() previously accepted an ATOMIC_WRITE request with pktlen resid 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).

IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.

Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words. With this patch applied the responder rejects the PDU and the MR stays all-zero.

AnalysisAI

Remote information disclosure in the Linux kernel's RDMA Soft-RoCE (rxe) driver allows unauthenticated network attackers to leak adjacent kernel skb head-buffer memory by sending zero-length ATOMIC_WRITE RDMA packets. The flaw, tracked as CVE-2026-46114 and affecting kernels from 6.2 onward, lets a remote initiator extract 4 bytes of kernel tailroom per probe - including kernel strings and partial direct-map pointer words - into an attacker-controlled memory region. No public exploit identified at time of analysis and EPSS is low (0.05%, 17th percentile), but the vendor (kernel.org) has released stable patches across multiple branches.

Technical ContextAI

The vulnerability lives in drivers/infiniband/sw/rxe/rxe_resp.c, the responder path of the Soft-RoCE (RXE) driver that implements RDMA over Converged Ethernet in software. The IBA specification (oA19-28) mandates that an ATOMIC_WRITE payload is exactly 8 bytes, but check_rkey() only validated pktlen against resid, allowing both to be zero. atomic_write_reply() then unconditionally casts payload_addr(pkt) to a u64* and dereferences it, reading past the logical end of the packet into the socket buffer's head tailroom and then writing those 8 bytes (4 of which are uninitialized kernel memory; 4 are the packet's own ICRC trailer) into the requestor's memory region via rxe_mr_do_atomic_write(). This is a classic out-of-bounds read leading to information disclosure (CWE-125 / CWE-200 class), rooted in missing length validation for a fixed-size RDMA opcode.

RemediationAI

Vendor-released patches are available - upgrade to Linux 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3 (or the corresponding stable commits 105bf79a / 1114c87a / 539cabb7 / d415fce3 / 7ec1ed47 from git.kernel.org/stable). If patching is not immediately possible, unload or blacklist the rxe kernel module (modprobe -r rdma_rxe; echo 'blacklist rdma_rxe' >> /etc/modprobe.d/blacklist.conf), which eliminates the attack surface entirely at the cost of disabling software RDMA - acceptable on any host that does not actively use Soft-RoCE. As a network-layer compensating control, restrict RDMA/RoCEv2 traffic (UDP/4791) to trusted fabric segments via firewall or VLAN isolation, accepting that this only protects against off-fabric attackers and not co-tenant or compromised-host scenarios.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32873 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy