How is CVE-2026-46114 exploited?

Network reachability (required): The attacker must reach the exposed RDMA/rxe responder service over the network; no local access is required. Authentication (not-required): No credentials or account are needed; the malformed ATOMIC_WRITE packet can be sent by any unauthenticated remote initiator. Victim interaction (not-required): The responder processes the malformed packet automatically with no user action required on the target host. Attack complexity (info): Exploitation is reliable and condition-free; the attacker simply sets the RETH length field to zero in the ATOMIC_WRITE request and the unchecked dereference fires deterministically.

What is the impact of CVE-2026-46114?

The attacker reads up to 4 bytes of kernel skb head-buffer tailroom per probe, with the other 4 bytes coming from the packet's own trailing ICRC. Leaked bytes can include recognizable kernel strings and partial kernel-direct-map pointer words, aiding further exploitation such as KASLR bypass. The leaked data is written directly into the attacker's registered memory region (MR), making exfiltration trivial and requiring no separate read step. Integrity and availability of the target system are not directly affected by this exploit path; impact is limited to confidential kernel memory disclosure.

Back to search

HIGHCVE-2026-46114Published 2026-05-28Modified 2026-05-30CNA Linux

CVE-2026-46114: RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt): value = *(u64 *)payload_addr(pkt); check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC). IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path. Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words. With this patch applied the responder rejects the PDU and the MR stays all-zero.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An out-of-bounds read vulnerability exists in the Linux kernel's software RDMA (RDMA/rxe) driver, specifically in how it handles ATOMIC_WRITE operation payloads. A remote, unauthenticated attacker can send a crafted ATOMIC_WRITE packet with a zero-byte payload over the network; the responder then reads 8 bytes past the logical end of the packet from kernel skb head-buffer tailroom and writes those bytes into the attacker's registered memory region, disclosing up to 4 bytes of kernel memory per probe. Successful exploitation leaks kernel heap and stack content including partial pointer values and recognizable kernel strings. A patched-image rebuild at fix version 6.6.140 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built kernel images and base images carrying an affected Linux kernel version. Any image whose kernel version falls below the fix boundary is flagged automatically in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this issue at CVSS 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is capable of weighting findings against each customer environment's compliance policy before routing alerts to the appropriate team inbox.

Available

Patch

A patched-image rebuild at Linux kernel 6.6.140 becomes available on HarborGuard once the fix version is confirmed against an affected image. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the exposed RDMA/rxe responder service over the network; no local access is required.
AuthenticationNot required
No credentials or account are needed; the malformed ATOMIC_WRITE packet can be sent by any unauthenticated remote initiator.
Victim interactionNot required
The responder processes the malformed packet automatically with no user action required on the target host.
Attack complexityDetail
Exploitation is reliable and condition-free; the attacker simply sets the RETH length field to zero in the ATOMIC_WRITE request and the unchecked dereference fires deterministically.

Blast Radius

The attacker reads up to 4 bytes of kernel skb head-buffer tailroom per probe, with the other 4 bytes coming from the packet's own trailing ICRC.
Leaked bytes can include recognizable kernel strings and partial kernel-direct-map pointer words, aiding further exploitation such as KASLR bypass.
The leaked data is written directly into the attacker's registered memory region (MR), making exfiltration trivial and requiring no separate read step.
Integrity and availability of the target system are not directly affected by this exploit path; impact is limited to confidential kernel memory disclosure.

How HarborGuard Handles This

Available on HarborGuard: detection is active for any image carrying a Linux kernel version below the fix commits (including 6.6.140 for the stable branch). Where compliance policy permits, auto-remediation customers receive a rebuilt image at the patched version, a regression-test run, and a PR opened against affected workloads; for high-severity issues the median time from CVE publication to merged patch PR is around 90 minutes. For customers who cannot immediately rebuild (for example where a custom or vendor-supplied kernel is in use), HarborGuard recommends applying network-policy isolation to restrict RDMA/RoCE traffic to trusted initiators only, using egress and ingress filtering on InfiniBand or RoCE ports to limit exposure, and auditing memory-region registrations to reduce the value of any leaked bytes. HarborGuard re-checks the advisory each ingest cycle and will surface the rebuild the moment an applicable upstream fix is confirmed for any remaining affected branch.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 0
Affected Products: 2

Fix available

0105bf79a23b85cf3a761d18a4f3e10ce88526bc11114c87aa6f195cf07da55a27b2122ae26557b26539cabb7b2d8ba70f55bba91db55faef11c2a6d76.6.1406.12.886.18.307.0.77.1-rc37ec1ed4747f5f99f8b797bb438c5efd36079fad5d415fce3fcde6d7aeea6c25362a395b905811452

Affected packages

Linux / Linux
< 539cabb7b2d8ba70f55bba91db55faef11c2a6d7 (from 034e285f8b99062a0cf29112e1232154a6a44aa5) · < d415fce3fcde6d7aeea6c25362a395b905811452 (from 034e285f8b99062a0cf29112e1232154a6a44aa5) · < 105bf79a23b85cf3a761d18a4f3e10ce88526bc1 (from 034e285f8b99062a0cf29112e1232154a6a44aa5) · < 7ec1ed4747f5f99f8b797bb438c5efd36079fad5 (from 034e285f8b99062a0cf29112e1232154a6a44aa5) · < 1114c87aa6f195cf07da55a27b2122ae26557b26 (from 034e285f8b99062a0cf29112e1232154a6a44aa5)
Linux / Linux
6.2
Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available