Skip to main content

Linux Kernel EUVDEUVD-2026-35426

| CVE-2026-46325 CRITICAL
2026-06-09 Linux GHSA-rmw9-5h46-94mm
Critical
Disputed · 9.8 Vendor: Linux
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (Linux) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.8 MEDIUM

Requires local RDMA verbs access (PR:L, AV:L), a non-default MR/PAGE_SIZE mismatch and SG-boundary timing (AC:H); primary demonstrated impact is kernel panic (A:H) with limited memory disclosure/corruption (C:L/I:L).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
5.7 MEDIUM
AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.0 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:35 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
9.8 (CRITICAL)
Patch available
Jun 09, 2026 - 15:01 EUVD
CVE Published
Jun 09, 2026 - 12:25 cve.org
CRITICAL 9.8
CVE Published
Jun 09, 2026 - 12:25 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE

The current implementation incorrectly handles memory regions (MRs) with page sizes different from the system PAGE_SIZE. The core issue is that rxe_set_page() is called with mr->page_size step increments, but the page_list stores individual struct page pointers, each representing PAGE_SIZE of memory.

ib_sg_to_page() has ensured that when i>=1 either a) SG[i-1].dma_end and SG[i].dma_addr are contiguous or b) SG[i-1].dma_end and SG[i].dma_addr are mr->page_size aligned.

This leads to incorrect iova-to-va conversion in scenarios:

  1. page_size < PAGE_SIZE (e.g., MR: 4K, system: 64K):

ibmr->iova = 0x181800 sg[0]: dma_addr=0x181800, len=0x800 sg[1]: dma_addr=0x173000, len=0x1000

Access iova = 0x181800 + 0x810 = 0x182010 Expected VA: 0x173010 (second SG, offset 0x10) Before fix:

  • index = (0x182010 >> 12) - (0x181800 >> 12) = 1
  • page_offset = 0x182010 & 0xFFF = 0x10
  • xarray[1] stores system page base 0x170000
  • Resulting VA: 0x170000 + 0x10 = 0x170010 (wrong)
  1. page_size > PAGE_SIZE (e.g., MR: 64K, system: 4K):

ibmr->iova = 0x18f800 sg[0]: dma_addr=0x18f800, len=0x800 sg[1]: dma_addr=0x170000, len=0x1000

Access iova = 0x18f800 + 0x810 = 0x190010 Expected VA: 0x170010 (second SG, offset 0x10) Before fix:

  • index = (0x190010 >> 16) - (0x18f800 >> 16) = 1
  • page_offset = 0x190010 & 0xFFFF = 0x10
  • xarray[1] stores system page for dma_addr 0x170000
  • Resulting VA: system page of 0x170000 + 0x10 = 0x170010 (wrong)

Yi Zhang reported a kernel panic[1] years ago related to this defect.

Solution:

  1. Replace xarray with pre-allocated rxe_mr_page array for sequential

indexing (all MR page indices are contiguous)

  1. Each rxe_mr_page stores both struct page* and offset within the

system page

  1. Handle MR page_size != PAGE_SIZE relationships:
  • page_size > PAGE_SIZE: Split MR pages into multiple system pages
  • page_size <= PAGE_SIZE: Store offset within system page
  1. Add boundary checks and compatibility validation

This ensures correct iova-to-va conversion regardless of MR page size and system PAGE_SIZE relationship, while improving performance through array-based sequential access.

Tests on 4K and 64K PAGE_SIZE hosts:

  • rdma-core/pytests

$ ./build/bin/run_tests.py --dev eth0_rxe

  • blktest:

$ TIMEOUT=30 QUICK_RUN=1 USE_RXE=1 NVMET_TRTYPES=rdma ./check nvme srp rnbd

[1] https://lore.kernel.org/all/CAHj4cs9XRqE25jyVw9rj9YugffLn5+f=1znaBEnu1usLOciD+g@mail.gmail.com/T/

AnalysisAI

Memory corruption in the Linux kernel's RDMA Soft-RoCE (rxe) driver allows incorrect iova-to-virtual-address translation when Memory Region (MR) page sizes differ from the system PAGE_SIZE, leading to access of wrong memory pages during RDMA operations. The flaw affects kernels from 6.3 through pre-6.18.14 / pre-6.19.4 / pre-7.0 patched releases, and a related kernel panic was previously reported by Yi Zhang. EPSS is 0.02% (4th percentile) and no public exploit identified at time of analysis, but a patch is available from upstream.

Technical ContextAI

The vulnerability sits in drivers/infiniband/sw/rxe (Soft-RoCE), the software RDMA-over-Converged-Ethernet implementation that emulates InfiniBand verbs over standard Ethernet. The rxe_set_page() routine populated an xarray of struct page pointers using mr->page_size step increments, but each xarray slot represents one system PAGE_SIZE-sized page. When MR page_size and system PAGE_SIZE diverge (e.g., 4K MR on a 64K kernel, or 64K MR on a 4K kernel), the index/offset math used for iova-to-VA conversion dereferences the wrong scatter-gather entry, returning a virtual address that points into unrelated memory. The fix replaces the xarray with a pre-allocated rxe_mr_page array that stores both struct page* and the offset within the system page, plus boundary and compatibility checks. No CWE was assigned, but functionally this is an out-of-bounds / incorrect-pointer-arithmetic class defect in kernel memory mapping logic.

RemediationAI

Vendor-released patch: upgrade to Linux 6.18.14, 6.19.4, or 7.0 (with the fix) or later, pulling the upstream commits 409c2c5508f3d30627bea576f8676de523cb906e, 836f6c13c9674027793f720be3f15ecd2b90b6ca, and 12985e5915a0b8354796efadaaeb201eed115377 from git.kernel.org/stable; distribution users should monitor their vendor advisory channel and apply the backported kernel update. If patching must be deferred, the most effective compensating control is to avoid loading the rxe module (blacklist rdma_rxe via /etc/modprobe.d/) on hosts that do not require Soft-RoCE - trade-off: this disables software RDMA emulation, which is acceptable when hardware RNICs or non-RDMA transports are in use but breaks NVMe-oF/RDMA, SRP, and similar workloads running on top of rxe. Where rxe must remain enabled, restrict which userspace processes can open /dev/infiniband/uverbs* (typically via group rdma membership) to reduce who can register MRs with non-default page sizes, and ensure RDMA fabric peers are trusted, since the bug is reachable by RDMA traffic from peers that have established a connection. See https://nvd.nist.gov/vuln/detail/CVE-2026-46325 for tracking.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2026-35426 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy