PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46133 Linux CVE debrief

A vulnerability in the Linux kernel's Soft RoCE (RXE) driver allows unauthenticated remote attackers to trigger kernel panics via a single crafted UDP packet. The flaw exists because packets with unknown/undefined IB opcodes bypass proper validation before ICRC processing, leading to an out-of-bounds read when the rxe_opcode[] array is accessed with a zero-initialized entry. An attacker can exploit this by sending a 48-byte UDP packet to port 4791 with opcode 0xff and QPN set to IB_MULTICAST_QPN, requiring only that the RXE module be loaded and an rdma link created—no QP, connection, or authentication needed. The vulnerability predates a related 2024 fix (commit 7244491dab34) and affects the RXE driver since its initial implementation.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

Linux system administrators running kernels with Soft RoCE (RXE) enabled, particularly in virtualized environments, cloud providers offering RDMA-over-Ethernet services, and organizations with RoCEv2 infrastructure using software-emulated RDMA endpoints.

Technical summary

The RXE (Soft RoCE) driver in the Linux kernel fails to validate IB opcodes before performing ICRC header length calculations. The rxe_opcode[] lookup table contains 256 entries but only defined opcodes are populated; undefined entries are zero-initialized. When a packet with an unknown opcode (e.g., 0xff) is received, header_size() returns 0, causing the payload length check to be ineffective. Subsequently, rxe_icrc_hdr() computes rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES, which underflows to a large unsigned value, passing it to rxe_crc32() and triggering an out-of-bounds read of the skb payload. This can be exploited remotely with a single 48-byte UDP packet to port 4791, causing immediate kernel panic on subsequent packets. The vulnerability requires CONFIG_RDMA_RXE=y and an active rxe link but no established RDMA connection or authentication.

Defensive priority

critical

Recommended defensive actions

  • Apply kernel patches from the referenced stable commits (ref-4, ref-5, ref-6, ref-7, ref-8) to reject unknown opcodes before ICRC processing
  • Upgrade to kernel versions containing the fix once available from distribution vendors
  • If RXE is not required, disable or blacklist the rxe kernel module until patched
  • Monitor for unexpected kernel panics or KASAN reports on systems with RXE enabled
  • Restrict network access to UDP port 4791 (RoCEv2 default) at firewall boundaries where RXE cannot be disabled
  • Review rdma link configurations and remove unnecessary RXE interfaces

Evidence notes

The vulnerability description confirms reproduction on v7.0-rc7 with KASAN enabled, demonstrating slab-out-of-bounds reads in crc32_le() via rxe_icrc_hdr() and rxe_rcv(). The root cause is identified as zero-initialized entries in the 256-element rxe_opcode[] array for undefined opcodes, causing header_size() to return 0 and subsequent underflow in rxe_icrc_hdr(). The fix rejects unknown opcodes before any length arithmetic. Multiple stable kernel commits are referenced for the patch backports.

Official resources

2026-05-28