PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46043 Linux CVE debrief

CVE-2026-46043 is an integer underflow vulnerability in the Linux kernel's RDMA/rxe (Soft-RoCE) driver. The flaw exists in the `rxe_rcv()` function, which validates incoming packet length against only `header_size(pkt)` before calling `payload_size()`. However, `payload_size()` subtracts both the attacker-controlled BTH pad field and `RXE_ICRC_SIZE` from `pkt->paylen`. A malicious packet with a forged non-zero BTH pad value can cause `payload_size()` to underflow, passing a negative (wrapped) value to downstream receive-path code. The fix validates `pkt->paylen` against the complete minimum length: `header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE`. This vulnerability affects systems with the rxe driver enabled and could lead to memory corruption or denial of service through crafted RDMA packets.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Linux systems with RDMA over converged Ethernet (Soft-RoCE) enabled, particularly HPC clusters, cloud infrastructure, and storage networks utilizing RDMA protocols

Technical summary

The rxe driver in the Linux kernel fails to properly validate packet length against all components subtracted in `payload_size()`. The function calculates payload size as `pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt) - RXE_ICRC_SIZE`. Prior validation only ensured `pkt->paylen >= header_size(pkt)`, permitting packets where `bth_pad(pkt) + RXE_ICRC_SIZE` exceeds remaining bytes to cause integer underflow. The vulnerability is remotely exploitable by sending crafted RDMA packets with manipulated BTH pad fields to systems with rxe enabled.

Defensive priority

high

Recommended defensive actions

  • Apply kernel updates containing the referenced stable commits when available from your Linux distribution
  • Disable the rxe (Soft-RoCE) driver if RDMA over converged Ethernet is not required
  • Monitor network traffic for anomalous RDMA packets with unusual BTH pad values
  • Review system logs for kernel warnings or crashes related to rxe_rcv
  • Verify kernel version against patched releases once distribution advisories are published

Evidence notes

Vulnerability description confirms integer underflow in payload_size() calculation. Kernel commit references indicate fixes applied to multiple stable branches. No CVSS score or severity assigned by NVD at time of disclosure.

Official resources

2026-05-27