CVE-2026-46043
- Source
- https://cve.org/CVERecord?id=CVE-2026-46043
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46043.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-46043
- Downstream
- Related
- Published
- 2026-05-27T12:56:57.987Z
- Modified
- 2026-06-11T12:29:12.738991717Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
- Summary
- RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Validate pad and ICRC before payloadsize() in rxercv
rxercv() currently checks only that the incoming packet is at least headersize(pkt) bytes long before payload_size() is used.
However, payloadsize() subtracts both the attacker-controlled BTH pad field and RXEICRC_SIZE from pkt->paylen:
payloadsize = pkt->paylen - offset[RXEPAYLOAD] - bthpad(pkt) - RXEICRC_SIZE
This means a short packet can still make payloadsize() underflow even if it includes enough bytes for the fixed headers. Simply requiring headersize(pkt) + RXEICRCSIZE is not sufficient either, because a packet with a forged non-zero BTH pad can still leave payload_size() negative and pass an underflowed value to later receive-path users.
Fix this by validating pkt->paylen against the full minimum length required by payloadsize(): headersize(pkt) + bthpad(pkt) + RXEICRC_SIZE.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46043.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/2c0d71ef12f46c57d37bc571f3f2797db7eb50cc
- https://git.kernel.org/stable/c/2fd4f8b749309a61c3f3f88ee8891d94f79e1240
- https://git.kernel.org/stable/c/5fedefec757192dcaad29a664ac332c7601be144
- https://git.kernel.org/stable/c/7244491dab347f648e661da96dc0febadd9daec3
- https://git.kernel.org/stable/c/9b924f3a26b21330a837cfe72e819b6393bbeeaa
- https://git.kernel.org/stable/c/c4376c672c3648d5bdc31dfffc329d07164f93c4
- https://git.kernel.org/stable/c/e8ee0e792d475b1067c199ef0af1b6221fa6f43d
- https://git.kernel.org/stable/c/f83519a4c122c9c7a850a2197648a9ff4c67c520
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46043.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-46043
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8700e3e7c4857d28ebaa824509934556da0b3e76Fixedc4376c672c3648d5bdc31dfffc329d07164f93c4Fixed5fedefec757192dcaad29a664ac332c7601be144Fixed2c0d71ef12f46c57d37bc571f3f2797db7eb50ccFixed2fd4f8b749309a61c3f3f88ee8891d94f79e1240Fixedf83519a4c122c9c7a850a2197648a9ff4c67c520Fixed9b924f3a26b21330a837cfe72e819b6393bbeeaaFixede8ee0e792d475b1067c199ef0af1b6221fa6f43dFixed7244491dab347f648e661da96dc0febadd9daec3
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced4.8.0Fixed5.10.258
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.209
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.175
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.140
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.86
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.27
- Type
- ECOSYSTEM
- Events
-
Introduced6.19.0Fixed7.0.4