CVE-2026-46133
A flaw in the Linux kernel's RDMA/rxe (Soft RoCE) driver allows an unauthenticated attacker to crash the system by sending a specially crafted UDP packet with an invalid opcode. The vulnerability exists in how the driver validates incoming packets before processing checksums. When a packet uses an undefined opcode value, the driver fails to properly validate packet length, leading to an out-of-bounds memory read that triggers a kernel panic. An attacker needs only network access to the RDMA port and can exploit this without authentication, credentials, or any prior connection setup.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-24
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject unknown opcodes before ICRC processing Even after applying commit 7244491dab34 ("RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv"), a single unauthenticated UDP packet can still trigger panic. That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode. The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver. The check added there reads pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE where header_size(pkt) expands to rxe_opcode[pkt->opcode].length. The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE which does not constrain pkt->paylen enough. rxe_icrc_hdr() then computes rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload. Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after rdma link add rxe0 type rxe netdev eth0 A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers: BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170 Read of size 1 at addr ... The buggy address is located 0 bytes to the right of allocated 704-byte region Call Trace: crc32_le+0x115/0x170 rxe_icrc_hdr.isra.0+0x226/0x300 rxe_icrc_check+0x13f/0x3a0 rxe_rcv+0x6e1/0x16e0 rxe_udp_encap_recv+0x20a/0x320 udp_queue_rcv_one_skb+0x7ed/0x12c0 Subsequent packets with the same shape fault on unmapped memory and panic the kernel. The trigger requires only module load and "rdma link add"; no QP, no connection, and no authentication. Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46133 is an out-of-bounds read vulnerability in the Linux kernel's RDMA/rxe (Soft RoCE) driver, specifically in the rxe_rcv() function and related packet processing logic. The flaw occurs when processing packets with unknown or undefined opcodes. The driver maintains an rxe_opcode[] array with 256 entries, but only valid InfiniBand opcodes are populated; undefined opcodes result in zero-initialized entries. When validating packet length before ICRC (Internet Checksum) processing, the code checks: pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE. For unknown opcodes where header_size returns 0, this check becomes insufficient and allows undersized packets through. Subsequently, rxe_icrc_hdr() computes rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES, which underflows to a huge unsigned value when length is 0. This underflowed value is passed to rxe_crc32(), causing it to read far beyond the allocated skb (socket buffer) payload, triggering a slab-out-of-bounds read detected by KASAN. Subsequent packets with the same malformed shape can fault on unmapped memory and panic the kernel.
Business impact
This vulnerability enables a denial-of-service attack against systems running the RDMA/rxe driver, which is used for software-based RDMA over Ethernet. Affected organizations may experience unplanned kernel panics and service outages if systems are directly exposed to untrusted networks. The attack requires only that the rxe module is loaded and an RDMA interface is configured—no active RDMA connections or authentication are needed. For data center operators, storage vendors, and high-performance computing environments using Soft RoCE for clustering or network storage, this represents a critical availability risk. The ease of exploitation (a single 48-byte packet) and lack of prerequisites make this a high-priority denial-of-service vector.
Affected systems
Linux kernel systems with CONFIG_RDMA_RXE enabled (the Soft RoCE driver). The vulnerability affects the kernel's RDMA/rxe subsystem and requires that the rxe kernel module is loaded and an RDMA link is configured. Any Linux distribution or embedded system shipping a kernel with Soft RoCE support and accessible RDMA networking is potentially affected. The vulnerability was introduced early in the Soft RoCE driver's history and persists even after prior patch attempts (commit 7244491dab34) that addressed related but incomplete validation logic.
Exploitability
Exploitability is high. The attack is trivial to execute: an attacker with network access to a system's RDMA UDP port (default 4791) can send a single 48-byte packet with opcode 0xff and QPN set to IB_MULTICAST_QPN to trigger an immediate kernel panic. No authentication, no prior connection, and no user interaction are required. The vulnerability exists in the kernel's receive path before any credential checks, making it reachable from any untrusted network segment with UDP connectivity. CVSS 3.1 score is 7.5 (High) reflecting the network-adjacent attack vector, low complexity, lack of privileges required, and assured availability impact.
Remediation
Apply kernel patches that implement opcode validation before length arithmetic and ICRC processing. The fix involves explicitly checking whether a packet's opcode has a valid entry in the rxe_opcode[] array (via zero mask or zero length check) and rejecting packets with unknown opcodes early in rxe_rcv() before header_size() is used in any length calculation. Verify against the vendor advisory and Linux kernel commit history for the specific version deployed in your environment. Systems unable to immediately patch should disable CONFIG_RDMA_RXE at build time or unload the rxe module if it is not in use. For RDMA environments, network-level access controls restricting UDP port 4791 to trusted sources provide temporary mitigation.
Patch guidance
Update the Linux kernel to a version containing the fix for CVE-2026-46133. Refer to kernel.org, your Linux distribution's security advisories, and the specific vendor advisory for patch version details. The fix typically involves adding an early opcode validity check in rxe_rcv() to reject packets with undefined opcodes before header_size() or other length-dependent operations execute. After patching, reboot systems to load the updated kernel. For systems where Soft RoCE is not actively used, consider disabling the rxe module or rebuilding the kernel without CONFIG_RDMA_RXE to eliminate exposure entirely. Verify patches are applied via kernel version checks and monitoring for rxe module behavior changes.
Detection guidance
Monitor for kernel panics, KASAN slab-out-of-bounds warnings, and crc32_le out-of-bounds read errors in kernel logs, particularly on systems with CONFIG_RDMA_RXE enabled. Configure kernel logging and crash dump analysis to capture stack traces showing rxe_rcv, rxe_icrc_hdr, or crc32_le in the call path. Network-level detection is challenging without deep packet inspection, but IDS/IPS systems can be tuned to flag UDP traffic to port 4791 with unusual packet sizes (e.g., <64 bytes) or invalid InfiniBand opcodes. For proactive detection, enable KASAN on test systems to surface the vulnerability before production impact. Host-based monitoring should alert on unexpected kernel panics or module crashes on systems where RDMA is in use.
Why prioritize this
Despite not being on the KEV catalog, this vulnerability merits immediate prioritization due to its high exploitability, trivial attack execution, complete lack of prerequisites, and severe impact (reliable kernel panic). The 48-byte packet trigger is extraordinarily simple to weaponize. Organizations with Soft RoCE deployments or Linux systems with CONFIG_RDMA_RXE should treat this as a critical availability threat. The vulnerability is also longstanding (present since the driver's inception), increasing the likelihood it exists in many production kernels. Patching should proceed in parallel with network segmentation and module disable measures.
Risk score, explained
CVSS 3.1 Base Score 7.5 (High) reflects: AV:N (network-adjacent attack from any host with UDP connectivity to port 4791), AC:L (low complexity; single packet, no timing or race conditions), PR:N (no privileges required; unauthenticated), UI:N (no user interaction), S:U (impact isolated to the affected host's kernel), C:N (no confidentiality impact), I:N (no integrity impact), and A:H (high availability impact via reliable denial of service/kernel panic). The score does not reflect KEV status, but environmental factors such as direct internet exposure of RDMA services, lack of network segmentation, or critical system role would elevate organizational risk.
Frequently asked questions
Do I need an active RDMA connection or endpoint to be vulnerable?
No. The vulnerability triggers on any system where the rxe module is loaded and an RDMA interface is configured via 'rdma link add'. No active QP (queue pair), connection, or authentication is required. A single unsolicited UDP packet to port 4791 is sufficient.
What opcode values trigger the panic?
Any undefined opcode will trigger it. The example in the CVE uses opcode 0xff, but any value outside the valid IB opcode range (approximately 0–127 for standard opcodes) can cause the same out-of-bounds read and panic.
Can this be exploited remotely from the internet?
Yes, if the RDMA UDP port (4791) is reachable from the attacker's network. This could be direct internet access or through a compromised network segment. Network-level firewalling of port 4791 and restricting RDMA services to trusted subnets are key mitigations.
What is the difference between this fix and the earlier commit 7244491dab34?
The earlier commit only addressed payload_size() underflow for valid opcodes with short packets. This vulnerability exploits unknown opcodes, which are completely missing from the opcode validation logic. The fix adds an explicit check to reject packets with invalid opcodes before any length arithmetic occurs.
This analysis is provided for informational purposes and is based on publicly available CVE data as of the publication date. SEC.co does not guarantee the accuracy, completeness, or timeliness of any remediation steps or patch information. Verify all patch versions and deployment steps against official vendor advisories and your organization's change management procedures. This vulnerability analysis does not constitute legal advice, security warranty, or endorsement of any mitigation strategy. Organizations should conduct their own risk assessments and testing in non-production environments before applying patches or changes. CVSS scores and severity ratings are as reported by the CVE authority; contextual risk may differ based on your environment and exposure. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10889HIGH
CVE-2026-10889: Critical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGH
CVE-2026-10927: Chrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10941HIGH
CVE-2026-10941: Skia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGH
CVE-2026-11015: Critical Chrome WebGPU Out-of-Bounds Read Vulnerability
- CVE-2026-46130HIGH
CVE-2026-46130: Linux Kernel dm-verity-fec Out-of-Bounds Read – Vulnerability Details
- CVE-2026-46138HIGH
CVE-2026-46138: Linux Bluetooth Kernel Out-of-Bounds Read and DoS Vulnerability
- CVE-2026-46140HIGH
CVE-2026-46140: Linux Kernel Bluetooth btmtk Driver Memory Disclosure
- CVE-2026-10998MEDIUM
CVE-2026-10998: Chrome Media Out-of-Bounds Memory Read Vulnerability