CVE-2026-46043
Analyzed Analyzed - Analysis Complete
Buffer Overflow in Linux Kernel RDMA/rxe Module

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv rxe_rcv() currently checks only that the incoming packet is at least header_size(pkt) bytes long before payload_size() is used. However, payload_size() subtracts both the attacker-controlled BTH pad field and RXE_ICRC_SIZE from pkt->paylen: payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt) - RXE_ICRC_SIZE This means a short packet can still make payload_size() underflow even if it includes enough bytes for the fixed headers. Simply requiring header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a packet with a forged non-zero BTH pad can still leave payload_size() negative and pass an underflowed value to later receive-path users. Fix this by validating pkt->paylen against the full minimum length required by payload_size(): header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46043
EUVD
EUVD-2026-32425
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.7 (inc) to 6.12.86 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.140 (exc)
linux linux_kernel From 4.8 (inc) to 5.10.258 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.27 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's RDMA/rxe component, specifically in the rxe_rcv() function. The function currently checks that incoming packets are at least as long as the header size before calculating the payload size. However, the payload size calculation subtracts an attacker-controlled padding field (BTH pad) and a fixed size (RXE_ICRC_SIZE) from the packet's payload length. This can cause an underflow in the payload size calculation if a short packet with a forged non-zero BTH pad is received, leading to a negative payload size being passed to later parts of the receive path.

The fix involves validating the packet's payload length against the full minimum length required by the payload size calculation, which includes the header size, the BTH pad, and RXE_ICRC_SIZE, preventing the underflow condition.

Impact Analysis

This vulnerability can lead to an underflow in the payload size calculation when processing certain network packets. Such an underflow may cause the system to misinterpret packet data lengths, potentially leading to memory corruption or unexpected behavior in the receive path of the RDMA/rxe subsystem.

An attacker could exploit this by sending specially crafted packets with forged padding values, which might result in denial of service or other unpredictable kernel behavior, potentially compromising system stability or security.

Mitigation Strategies

The vulnerability has been resolved by validating the packet payload length against the full minimum length required, including header size, BTH pad, and RXE_ICRC_SIZE. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46043. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart