Bug 2482127 (CVE-2026-46043) - CVE-2026-46043 kernel: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
Summary: CVE-2026-46043 kernel: RDMA/rxe: Validate pad and ICRC before payload_size() ...
Keywords:
Status: NEW
Alias: CVE-2026-46043
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-27 15:12 UTC by OSIDB Bzimport
Modified: 2026-05-27 19:36 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-27 15:12:36 UTC 
In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv

rxe_rcv() currently checks only that the incoming packet is at least
header_size(pkt) bytes long before payload_size() is used.

However, payload_size() subtracts both the attacker-controlled BTH pad
field and RXE_ICRC_SIZE from pkt->paylen:

  payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)
                 - RXE_ICRC_SIZE

This means a short packet can still make payload_size() underflow even
if it includes enough bytes for the fixed headers. Simply requiring
header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a
packet with a forged non-zero BTH pad can still leave payload_size()
negative and pass an underflowed value to later receive-path users.

Fix this by validating pkt->paylen against the full minimum length
required by payload_size(): header_size(pkt) + bth_pad(pkt) +
RXE_ICRC_SIZE.
Comment 1 Keith Grant 2026-05-27 19:33:28 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026052751-CVE-2026-46043-153e@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.