HIGH
rdma Opcode OOB
CVE-2026-46133
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
KernelScan AI8.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject unknown opcodes before ICRC processing Even after applying commit 7244491dab34 ("RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv"), a single unauthenticated UDP packet can still trigger panic. That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode. The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver. The check added there reads pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE where header_size(pkt) expands to rxe_opcode[pkt->opcode].length. The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE which does not constrain pkt->paylen enough. rxe_icrc_hdr() then computes rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload. Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after rdma link add rxe0 type rxe netdev eth0 A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers: BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170 Read of size 1 at addr ... The buggy address is located 0 bytes to the right of allocated 704-byte region Call Trace: crc32_le+0x115/0x170 rxe_icrc_hdr.isra.0+0x226/0x300 rxe_icrc_check+0x13f/0x3a0 rxe_rcv+0x6e1/0x16e0 rxe_udp_encap_recv+0x20a/0x320 udp_queue_rcv_one_skb+0x7ed/0x12c0 Subsequent packets with the same shape fault on unmapped memory and panic the kernel. The trigger requires only module load and "rdma link add"; no QP, no connection, and no authentication. Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.
02KernelScan AI Analysis
Risk summary
Unauthenticated remote attackers can send malformed UDP packets to crash systems running Soft RoCE (RXE) RDMA. A single 48-byte packet with an unknown opcode triggers an out-of-bounds read that can leak kernel slab data and subsequently causes kernel panic. Systems with RDMA networking exposed are at immediate risk of denial-of-service attacks and limited information disclosure.
Vulnerability analysis
The RXE driver processes InfiniBand opcodes from UDP packets without validating that opcodes are defined in the rxe_opcode[] lookup table. Unknown opcodes have zero-initialized entries, causing integer underflow in rxe_icrc_hdr() when computing header length. This passes a huge value to rxe_crc32(), triggering out-of-bounds reads of skb payload data. The initial read leaks data from the kernel slab allocator; subsequent packets with the same shape fault on unmapped memory and panic the kernel. The fix adds early validation to reject packets with undefined opcodes before any length arithmetic runs. Attack surface is any system with CONFIG_RDMA_RXE enabled and an active RXE interface, reachable via UDP port 4791 without authentication.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | 318787fa7193 |
| 5.15 | 5.15.209 | 6a79b1ea0fcb |
| 6.1 | 6.1.175 | 599cfdf44c17 |
| 6.12 | 6.12.88 | f8ee926431a7 |
| 6.18 | 6.18.30 | 006a3a5f7534 |
| 6.6 | 6.6.140 | e3dc3a2fb05f |
| 7.0 | 7.0.7 | 6fa18025e578 |
| mainline | 7.1-rc3 | 4c6f86d85d03 |