CVE-2026-46114
A memory leak vulnerability exists in the Linux kernel's RDMA over Converged Ethernet (RoCE) driver. An attacker on the network can send specially crafted RDMA ATOMIC_WRITE requests with zero-length payloads to trigger the responder into reading uninitialized kernel memory and inadvertently leaking it back to the attacker. The vulnerability specifically affects how the kernel validates packet lengths before dereferencing memory, allowing 8 bytes of sensitive kernel data (including kernel strings and pointer information) to be extracted per malicious probe.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-476
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-24
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt): value = *(u64 *)payload_addr(pkt); check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC). IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path. Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words. With this patch applied the responder rejects the PDU and the MR stays all-zero.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in drivers/infiniband/sw/rxe/rxe_resp.c within the atomic_write_reply() function. The code unconditionally dereferences an 8-byte value from a packet payload without validating that the payload is actually 8 bytes long. An attacker can send an ATOMIC_WRITE request with RETH length set to 0, bypassing existing validation in check_rkey() that only compared packet length (pktlen) against remaining bytes (resid). This causes the responder to read 8 bytes from past the logical end of the packet into the socket buffer's head tailroom, then write those bytes via rxe_mr_do_atomic_write() into the attacker's memory region. The leaked data includes the 4-byte kernel tailroom content plus the packet's trailing ICRC. Per IBA specification oA19-28, ATOMIC_WRITE operations must be exactly 8 bytes; the fix enforces strict length validation in check_rkey() before the unsafe dereference is reached.
Business impact
This vulnerability enables remote, unauthenticated disclosure of sensitive kernel memory to an attacker with network access to a RoCE endpoint. Organizations using RDMA for high-performance computing, storage clusters, or data center interconnects face exposure of kernel addresses and data structures that could aid in further exploitation. The leakage occurs in small increments per probe, but sustained attacks can accumulate reconnaissance information. While no authentication is required and the attack is highly reliable, the impact is limited to information disclosure; system integrity and availability are not compromised.
Affected systems
The Linux kernel RoCE (RDMA over Converged Ethernet) driver is affected. This impacts systems running vulnerable kernel versions that have not applied the patch. RoCE is commonly deployed in high-performance computing clusters, data centers, and storage solutions that rely on kernel-based RDMA implementations. The vulnerability applies to the software RXE (SoftRoCE) driver implementation in the kernel.
Exploitability
Exploitability is very high. No authentication, credentials, or user interaction is required. An attacker needs only network access to a system with an active RoCE endpoint. The attack is straightforward: send a crafted ATOMIC_WRITE request with zero payload length. The vulnerability is deterministic and repeatable, allowing reliable information leakage. However, as this is not yet in the CISA Known Exploited Vulnerabilities catalog, public exploit code may not be readily available, though the vulnerability is straightforward to weaponize given the clear root cause and reproducibility noted in the advisory.
Remediation
Apply the kernel patch that implements strict 8-byte length validation for ATOMIC_WRITE operations in check_rkey() before the unsafe dereference occurs. Verify the patch against official Linux kernel repositories or your distribution's security advisories to obtain the correct version number. Until patched, network segmentation to limit access to RoCE endpoints from untrusted sources may reduce exposure, though this is not a complete mitigation. Organizations should prioritize this patching given the ease of exploitation.
Patch guidance
Obtain and apply the upstream Linux kernel fix from the official Linux repository. The patch adds mandatory length validation for ATOMIC_WRITE payloads, rejecting any request that is not exactly 8 bytes. Coordinate patching through your standard kernel update process. Test the patched kernel in a controlled environment before deployment to production clusters. Verify that RoCE functionality remains operational post-patch. Distributions should release security updates shortly after the upstream fix; monitor your Linux vendor's security advisory channels (Red Hat, Ubuntu, SUSE, etc.) for specific patch versions applicable to your deployment.
Detection guidance
Monitor network traffic for ATOMIC_WRITE RDMA requests with zero or non-8-byte payloads. Intrusion detection systems with RDMA protocol awareness can flag such packets. On the kernel side, enable audit logging for RDMA operations if available in your kernel configuration. Look for ICRC errors or protocol violations logged by the RXE driver. Correlate with suspicious memory access patterns on systems hosting RoCE endpoints. Note that the vulnerability leaves no obvious local trace on the victim system; detection relies primarily on observing the malicious network traffic or the attacker's memory region receiving unexpected data.
Why prioritize this
Despite not being on CISA's KEV list, this should be prioritized for patching due to the CVSS 7.5 score (HIGH severity), complete lack of authentication or user interaction requirements, and straightforward exploitability. The vulnerability enables reliable remote information disclosure from the kernel, which is typically a precursor to further exploitation. Any organization running RoCE infrastructure should treat this as high priority. Patch timelines should align with your organization's critical infrastructure update policies, with urgency proportional to the sensitivity of data in affected systems and the exposure to untrusted networks.
Risk score, explained
CVSS 3.1 score of 7.5 reflects HIGH severity. Attack vector is Network (AV:N), attack complexity is Low (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The scope is Unchanged (S:U), indicating impact is limited to the vulnerable component. Confidentiality impact is High (C:H) due to kernel memory leakage, but Integrity and Availability are None (I:N, A:N) since the attacker cannot modify data or crash the system through this path. The score accurately represents a dangerous information disclosure vulnerability with trivial exploitation.
Frequently asked questions
Can an attacker execute code or crash the system with this vulnerability?
No. This vulnerability is limited to information disclosure—specifically, leaking kernel memory. The attacker reads 8 bytes of kernel data per probe but cannot modify kernel state, corrupt data, or trigger a denial of service. However, the leaked information (kernel addresses, data structures) is often valuable reconnaissance for planning further attacks.
What is the difference between a zero-length ATOMIC_WRITE and a legitimate 8-byte ATOMIC_WRITE?
Per the RDMA specification, ATOMIC_WRITE operations must be exactly 8 bytes. The vulnerability exploits a validation gap that previously allowed a zero-length variant to bypass checks and reach unsafe code. The patch enforces strict 8-byte validation, rejecting any other payload size before dereferencing memory.
Do I need to patch if I don't use RDMA or RoCE?
No. This vulnerability is specific to systems running the Linux kernel RDMA RXE driver with active RoCE endpoints. If your infrastructure does not use kernel-based RDMA or RoCE, you are not affected. Check your kernel configuration and running drivers if uncertain.
Is a firewall rule sufficient to protect against this vulnerability?
Firewall rules that restrict network access to RoCE endpoints can reduce exposure but are not a substitute for patching. If you can reliably limit RoCE traffic to trusted networks only, you lower the risk materially. However, a determined attacker with network access (insider, compromised adjacent system, or network-adjacent attacker) could still exploit it. Patching remains the definitive remediation.
This analysis is based on published vulnerability data as of the modification date provided. Patch version numbers and specific CVE references should be verified against official Linux kernel advisories and your Linux distribution's security bulletins. Exploitation risks and mitigations are estimates based on the available technical description; actual impact may vary depending on system configuration and network topology. This content is for informational purposes and does not constitute professional security advice. Organizations should consult with their security teams and follow their standard vulnerability management procedures when responding to this CVE. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46110HIGH
CVE-2026-46110: Linux stmmac NULL Dereference DoS Vulnerability
- CVE-2025-71313MEDIUM
CVE-2025-71313: Linux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2026-46118MEDIUM
CVE-2026-46118: Linux Kernel PAPR Hypervisor Pipe Null Pointer Dereference (POWER Systems)
- CVE-2026-46127MEDIUM
CVE-2026-46127: Linux Kernel OCRDMA Null Pointer Dereference (DoS)
- CVE-2026-46134MEDIUM
CVE-2026-46134: Linux Kernel cros_ec Mutex Initialization DoS Vulnerability
- CVE-2025-59604HIGH
CVE-2025-59604: Qualcomm Snapdragon Memory Corruption Vulnerability – HIGH Severity
- CVE-2025-59606HIGH
CVE-2025-59606: Qualcomm Chipset Memory Corruption Local Privilege Escalation
- CVE-2025-70099HIGH
CVE-2025-70099: NULL Pointer Dereference in lwext4 Directory Parsing (Denial of Service)