HarborGuard / CVE
Back to search
HIGHCVE-2026-46133Published Modified CNA Linux

CVE-2026-46133: RDMA/rxe: Reject unknown opcodes before ICRC processing

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject unknown opcodes before ICRC processing Even after applying commit 7244491dab34 ("RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv"), a single unauthenticated UDP packet can still trigger panic. That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode. The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver. The check added there reads pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE where header_size(pkt) expands to rxe_opcode[pkt->opcode].length. The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE which does not constrain pkt->paylen enough. rxe_icrc_hdr() then computes rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload. Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after rdma link add rxe0 type rxe netdev eth0 A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers: BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170 Read of size 1 at addr ... The buggy address is located 0 bytes to the right of allocated 704-byte region Call Trace: crc32_le+0x115/0x170 rxe_icrc_hdr.isra.0+0x226/0x300 rxe_icrc_check+0x13f/0x3a0 rxe_rcv+0x6e1/0x16e0 rxe_udp_encap_recv+0x20a/0x320 udp_queue_rcv_one_skb+0x7ed/0x12c0 Subsequent packets with the same shape fault on unmapped memory and panic the kernel. The trigger requires only module load and "rdma link add"; no QP, no connection, and no authentication. Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An out-of-bounds read vulnerability exists in the Linux kernel's Soft RoCE (RDMA over Converged Ethernet) driver, specifically in the rxe (RDMA/rxe) subsystem. A remote, unauthenticated attacker can send a single crafted 48-byte UDP packet to port 4791 to trigger the flaw, requiring no prior authentication or established connection. Successful exploitation crashes the kernel, causing a denial of service; repeated packets fault on unmapped memory and panic the host. A patched-image rebuild is available on HarborGuard for environments running affected kernel versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-46133 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that incorporate affected Linux kernel versions. Any image carrying a kernel in the affected range is flagged automatically in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 7.5 (HIGH) using the published v3.1 vector and weights it against each environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild targeting the fix commits (including stable releases 6.6.140 and 6.12.88) is available on HarborGuard for environments running an affected kernel version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the host's UDP port 4791 over the network; no prior session or established connection is needed.

  • AuthenticationNot required

    No credentials or account of any privilege level are required to trigger the vulnerability.

  • Victim interactionNot required

    No user action is needed; the kernel processes the malicious packet passively upon receipt.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; a single crafted 48-byte packet is sufficient to trigger the out-of-bounds read with no timing constraints or environmental dependencies.

Blast Radius

  • Crashes the running kernel immediately upon receipt of a single crafted UDP packet, taking down all workloads on the host.
  • Subsequent packets of the same shape fault on unmapped memory, causing a full kernel panic and an unplanned reboot.
  • Any container or process sharing the host kernel loses availability for the duration of the panic-induced downtime.
  • No confidential data is read by the attacker and no data is modified; impact is limited to complete availability loss of the host.

How HarborGuard Handles This

Available on HarborGuard: detection of this CVE fires within minutes of publication for any image carrying an affected Linux kernel, covering both pulled base images and internally built images that bundle a custom kernel. For environments running an affected kernel version, a patched-image rebuild at the fix versions (stable tags 6.6.140 and 6.12.88, or the upstream fix commits) is available. Where compliance policy permits auto-remediation, HarborGuard rebuilds the affected image, runs a regression test run, and opens a pull request against impacted workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Because this flaw requires only that UDP port 4791 be reachable, customers who cannot immediately apply the patch should consider adding a network policy to restrict inbound access to that port to trusted RDMA peers only, limiting exposure until the rebuilt image is promoted.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

0006a3a5f75345c6a0dbf13fd3ee01406e93b67334c6f86d85d03cdb33addce86aa69aa795ca6c47a6.6.1406.12.886.18.306fa18025e5782afff91415fd5217b39c1e4837d77.0.77.1-rc3e3dc3a2fb05f4ed49c7f20594c4c52350d032189f8ee926431a7bbec2b10c1290664af2cb290b983
Affected packages
  • Linux / Linux
    < e3dc3a2fb05f4ed49c7f20594c4c52350d032189 (from 8700e3e7c4857d28ebaa824509934556da0b3e76) · < f8ee926431a7bbec2b10c1290664af2cb290b983 (from 8700e3e7c4857d28ebaa824509934556da0b3e76) · < 006a3a5f75345c6a0dbf13fd3ee01406e93b6733 (from 8700e3e7c4857d28ebaa824509934556da0b3e76) · < 6fa18025e5782afff91415fd5217b39c1e4837d7 (from 8700e3e7c4857d28ebaa824509934556da0b3e76) · < 4c6f86d85d03cdb33addce86aa69aa795ca6c47a (from 8700e3e7c4857d28ebaa824509934556da0b3e76)
  • Linux / Linux
    4.8
    Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References