CVE-2026-46325
Received Received - Intake
Memory Corruption in Linux Kernel RDMA RXE Driver

Publication date: 2026-06-09

Last updated on: 2026-06-14

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE The current implementation incorrectly handles memory regions (MRs) with page sizes different from the system PAGE_SIZE. The core issue is that rxe_set_page() is called with mr->page_size step increments, but the page_list stores individual struct page pointers, each representing PAGE_SIZE of memory. ib_sg_to_page() has ensured that when i>=1 either a) SG[i-1].dma_end and SG[i].dma_addr are contiguous or b) SG[i-1].dma_end and SG[i].dma_addr are mr->page_size aligned. This leads to incorrect iova-to-va conversion in scenarios: 1) page_size < PAGE_SIZE (e.g., MR: 4K, system: 64K): ibmr->iova = 0x181800 sg[0]: dma_addr=0x181800, len=0x800 sg[1]: dma_addr=0x173000, len=0x1000 Access iova = 0x181800 + 0x810 = 0x182010 Expected VA: 0x173010 (second SG, offset 0x10) Before fix: - index = (0x182010 >> 12) - (0x181800 >> 12) = 1 - page_offset = 0x182010 & 0xFFF = 0x10 - xarray[1] stores system page base 0x170000 - Resulting VA: 0x170000 + 0x10 = 0x170010 (wrong) 2) page_size > PAGE_SIZE (e.g., MR: 64K, system: 4K): ibmr->iova = 0x18f800 sg[0]: dma_addr=0x18f800, len=0x800 sg[1]: dma_addr=0x170000, len=0x1000 Access iova = 0x18f800 + 0x810 = 0x190010 Expected VA: 0x170010 (second SG, offset 0x10) Before fix: - index = (0x190010 >> 16) - (0x18f800 >> 16) = 1 - page_offset = 0x190010 & 0xFFFF = 0x10 - xarray[1] stores system page for dma_addr 0x170000 - Resulting VA: system page of 0x170000 + 0x10 = 0x170010 (wrong) Yi Zhang reported a kernel panic[1] years ago related to this defect. Solution: 1. Replace xarray with pre-allocated rxe_mr_page array for sequential indexing (all MR page indices are contiguous) 2. Each rxe_mr_page stores both struct page* and offset within the system page 3. Handle MR page_size != PAGE_SIZE relationships: - page_size > PAGE_SIZE: Split MR pages into multiple system pages - page_size <= PAGE_SIZE: Store offset within system page 4. Add boundary checks and compatibility validation This ensures correct iova-to-va conversion regardless of MR page size and system PAGE_SIZE relationship, while improving performance through array-based sequential access. Tests on 4K and 64K PAGE_SIZE hosts: - rdma-core/pytests $ ./build/bin/run_tests.py --dev eth0_rxe - blktest: $ TIMEOUT=30 QUICK_RUN=1 USE_RXE=1 NVMET_TRTYPES=rdma ./check nvme srp rnbd [1] https://lore.kernel.org/all/CAHj4cs9XRqE25jyVw9rj9YugffLn5+f=1znaBEnu1usLOciD+g@mail.gmail.com/T/
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-14
Generated
2026-06-15
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-14
NVD
CVE-2026-46325
EUVD
EUVD-2026-35426
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux_kernel linux_kernel *
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's RDMA/rxe component, where the conversion from IO virtual address (iova) to virtual address (va) is incorrectly handled when memory regions (MRs) have page sizes different from the system PAGE_SIZE.

The core issue is that the function rxe_set_page() uses mr->page_size increments, but the page_list stores individual struct page pointers representing system PAGE_SIZE memory chunks. This mismatch causes incorrect address translation in cases where MR page size is either smaller or larger than the system PAGE_SIZE.

For example, when MR page size is smaller than system PAGE_SIZE (e.g., MR: 4K, system: 64K), or when MR page size is larger than system PAGE_SIZE (e.g., MR: 64K, system: 4K), the iova-to-va conversion results in wrong virtual addresses being calculated.

The fix involves replacing the xarray with a pre-allocated rxe_mr_page array for sequential indexing, storing both struct page pointers and offsets within system pages, and properly handling the relationship between MR page sizes and system PAGE_SIZE. This ensures correct address translation regardless of page size differences.

Impact Analysis

This vulnerability can lead to incorrect memory address translations in RDMA operations, potentially causing kernel panics or system instability.

Since the iova-to-va conversion is incorrect, memory accesses may target wrong or invalid memory locations, which can result in crashes or unpredictable behavior in applications relying on RDMA.

Such instability can affect system reliability and availability, especially in environments that depend on high-performance RDMA networking.

Detection Guidance

Detection of this vulnerability involves running specific tests related to RDMA and the rxe driver to verify correct iova-to-va conversion and memory region handling.

The following commands are suggested for testing the vulnerability fix on systems with 4K and 64K PAGE_SIZE hosts:

  • $ ./build/bin/run_tests.py --dev eth0_rxe
  • $ TIMEOUT=30 QUICK_RUN=1 USE_RXE=1 NVMET_TRTYPES=rdma ./check nvme srp rnbd
Mitigation Strategies

Immediate mitigation involves applying the fix that corrects the iova-to-va conversion for memory regions with page sizes different from the system PAGE_SIZE.

The fix includes:

  • Replacing the xarray with a pre-allocated rxe_mr_page array for sequential indexing.
  • Storing both struct page* and offset within the system page in each rxe_mr_page.
  • Handling MR page_size != PAGE_SIZE relationships by splitting MR pages into multiple system pages or storing offsets within system pages.
  • Adding boundary checks and compatibility validation.

Therefore, updating the Linux kernel to a version that includes this fix is the recommended immediate step.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46325. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart