CVE-2026-46114
Received Received - Intake
RDMA/rxe: Buffer Overread in ATOMIC_WRITE Payload Handling

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt): value = *(u64 *)payload_addr(pkt); check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC). IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path. Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words. With this patch applied the responder rejects the PDU and the MR stays all-zero.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-46114
EUVD
EUVD-2026-32873
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's RDMA/rxe driver, specifically in the handling of ATOMIC_WRITE requests. The function atomic_write_reply() unconditionally reads 8 bytes from a payload address without verifying that the payload is actually 8 bytes long. Due to insufficient length validation in check_rkey(), an attacker can send an ATOMIC_WRITE request with a zero-length payload, which is protocol-invalid but previously accepted.

As a result, the responder reads 8 bytes beyond the logical end of the packet from kernel memory (skb head-tailroom) and writes those bytes into the attacker's memory region (MR). This leads to a remote disclosure of 4 bytes of kernel memory per probe, leaking sensitive kernel data such as recognizable strings and kernel pointers.

The vulnerability was fixed by enforcing a strict length check in check_rkey() to reject any ATOMIC_WRITE requests that are not exactly 8 bytes, preventing the unchecked dereference and memory leak.


How can this vulnerability impact me? :

This vulnerability allows a remote attacker to leak kernel memory contents by sending specially crafted ATOMIC_WRITE requests with zero-length payloads. The attacker can repeatedly probe and read sensitive kernel data, including kernel strings and pointers.

Such information disclosure can aid attackers in further exploiting the system by revealing internal kernel memory layout and potentially sensitive information, increasing the risk of privilege escalation or other attacks.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by adding a strict length check in the check_rkey() function to reject non-8-byte ATOMIC_WRITE payloads, which are protocol-invalid according to IBA oA19-28.

To mitigate this vulnerability immediately, ensure that your Linux kernel is updated with the patch that implements this strict length validation in the RDMA/rxe driver. This will prevent the responder from processing invalid ATOMIC_WRITE requests that could leak kernel memory.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart