How is CVE-2026-46325 exploited?

Network reachability (required): The vulnerability is reachable over the network; an attacker must be able to send requests to the exposed RDMA/rxe service. Authentication (not-required): No credentials or account privileges are needed to trigger the faulty iova-to-va conversion path. Victim interaction (not-required): Exploitation is fully attacker-driven and requires no action from any user or administrator on the target system. Attack complexity (info): Attack complexity is low; the exploit is reliable and does not depend on race conditions, special memory layout, or other environmental prerequisites.

What is the impact of CVE-2026-46325?

An attacker reads arbitrary kernel memory contents, including stored session tokens, cryptographic key material, and in-flight data buffers. An attacker writes to arbitrary kernel memory, allowing modification of kernel data structures, persisted records, or in-flight RDMA payloads. An attacker crashes the affected host by corrupting kernel state, causing a kernel panic and full system outage. Any workload co-located on the same host is exposed to cross-tenant data leakage or disruption through the compromised kernel address space.

Back to search

CRITICALCVE-2026-46325Published 2026-06-09Modified 2026-06-14CNA Linux

CVE-2026-46325: RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE

Q: What is CVE-2026-46325?

A memory address translation bug in the Linux kernel's RDMA soft RoCE driver (rxe) causes incorrect iova-to-va conversion when a memory region uses a page size different from the system page size. The flaw is reachable over the network without authentication and without any victim interaction, as scored by the CVSS v3.1 vector. Successful exploitation gives an attacker full read, write, and crash capabilities against the affected system. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running an affected kernel.

Q: How is CVE-2026-46325 fixed?

A patched-image rebuild at the fix versions (6.3, 6.18.14, and the upstream commit refs) is available on HarborGuard for any image found to carry an affected kernel. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE The current implementation incorrectly handles memory regions (MRs) with page sizes different from the system PAGE_SIZE. The core issue is that rxe_set_page() is called with mr->page_size step increments, but the page_list stores individual struct page pointers, each representing PAGE_SIZE of memory. ib_sg_to_page() has ensured that when i>=1 either a) SG[i-1].dma_end and SG[i].dma_addr are contiguous or b) SG[i-1].dma_end and SG[i].dma_addr are mr->page_size aligned. This leads to incorrect iova-to-va conversion in scenarios: 1) page_size < PAGE_SIZE (e.g., MR: 4K, system: 64K): ibmr->iova = 0x181800 sg[0]: dma_addr=0x181800, len=0x800 sg[1]: dma_addr=0x173000, len=0x1000 Access iova = 0x181800 + 0x810 = 0x182010 Expected VA: 0x173010 (second SG, offset 0x10) Before fix: - index = (0x182010 >> 12) - (0x181800 >> 12) = 1 - page_offset = 0x182010 & 0xFFF = 0x10 - xarray[1] stores system page base 0x170000 - Resulting VA: 0x170000 + 0x10 = 0x170010 (wrong) 2) page_size > PAGE_SIZE (e.g., MR: 64K, system: 4K): ibmr->iova = 0x18f800 sg[0]: dma_addr=0x18f800, len=0x800 sg[1]: dma_addr=0x170000, len=0x1000 Access iova = 0x18f800 + 0x810 = 0x190010 Expected VA: 0x170010 (second SG, offset 0x10) Before fix: - index = (0x190010 >> 16) - (0x18f800 >> 16) = 1 - page_offset = 0x190010 & 0xFFFF = 0x10 - xarray[1] stores system page for dma_addr 0x170000 - Resulting VA: system page of 0x170000 + 0x10 = 0x170010 (wrong) Yi Zhang reported a kernel panic[1] years ago related to this defect. Solution: 1. Replace xarray with pre-allocated rxe_mr_page array for sequential indexing (all MR page indices are contiguous) 2. Each rxe_mr_page stores both struct page* and offset within the system page 3. Handle MR page_size != PAGE_SIZE relationships: - page_size > PAGE_SIZE: Split MR pages into multiple system pages - page_size <= PAGE_SIZE: Store offset within system page 4. Add boundary checks and compatibility validation This ensures correct iova-to-va conversion regardless of MR page size and system PAGE_SIZE relationship, while improving performance through array-based sequential access. Tests on 4K and 64K PAGE_SIZE hosts: - rdma-core/pytests $ ./build/bin/run_tests.py --dev eth0_rxe - blktest: $ TIMEOUT=30 QUICK_RUN=1 USE_RXE=1 NVMET_TRTYPES=rdma ./check nvme srp rnbd [1] https://lore.kernel.org/all/CAHj4cs9XRqE25jyVw9rj9YugffLn5+f=1znaBEnu1usLOciD+g@mail.gmail.com/T/

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: 0
Affected Products: 2

HarborGuard Analysis

Synopsis

A memory address translation bug in the Linux kernel's RDMA soft RoCE driver (rxe) causes incorrect iova-to-va conversion when a memory region uses a page size different from the system page size. The flaw is reachable over the network without authentication and without any victim interaction, as scored by the CVSS v3.1 vector. Successful exploitation gives an attacker full read, write, and crash capabilities against the affected system. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running an affected kernel.

HarborGuard Coverage

Detection

Detection of CVE-2026-46325 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that carry an affected kernel version.

Available

Triage

HarborGuard scores this finding at CVSS 9.8 Critical and weights it against each customer environment's compliance policy, then routes the alert to the appropriate team inbox within the customer org based on policy-defined ownership rules.

Available

Patch

A patched-image rebuild at the fix versions (6.3, 6.18.14, and the upstream commit refs) is available on HarborGuard for any image found to carry an affected kernel. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerability is reachable over the network; an attacker must be able to send requests to the exposed RDMA/rxe service.
AuthenticationNot required
No credentials or account privileges are needed to trigger the faulty iova-to-va conversion path.
Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any user or administrator on the target system.
Attack complexityDetail
Attack complexity is low; the exploit is reliable and does not depend on race conditions, special memory layout, or other environmental prerequisites.

Blast Radius

An attacker reads arbitrary kernel memory contents, including stored session tokens, cryptographic key material, and in-flight data buffers.
An attacker writes to arbitrary kernel memory, allowing modification of kernel data structures, persisted records, or in-flight RDMA payloads.
An attacker crashes the affected host by corrupting kernel state, causing a kernel panic and full system outage.
Any workload co-located on the same host is exposed to cross-tenant data leakage or disruption through the compromised kernel address space.

How HarborGuard Handles This

Available on HarborGuard: once CVE-2026-46325 is matched against an image in a customer registry or pipeline, the finding is surfaced immediately with its CVSS 9.8 Critical score. A patched-image rebuild at the corrected kernel versions is available for any image confirmed to carry an affected kernel. For customers who opt into auto-remediation, HarborGuard initiates a rebuild, runs regression tests against the patched image, and opens a PR against affected workloads; for high-severity and critical findings, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy restricts automated changes, the finding is queued for manual review with full remediation guidance attached.

See how HarborGuard automates this

Fix available

012985e5915a0b8354796efadaaeb201eed115377409c2c5508f3d30627bea576f8676de523cb906e6.36.18.146.19.47.0836f6c13c9674027793f720be3f15ecd2b90b6ca

Affected packages

Linux / Linux
< 409c2c5508f3d30627bea576f8676de523cb906e (from 592627ccbdff0ec6fff00fc761142a76db750dd4) · < 836f6c13c9674027793f720be3f15ecd2b90b6ca (from 592627ccbdff0ec6fff00fc761142a76db750dd4) · < 12985e5915a0b8354796efadaaeb201eed115377 (from 592627ccbdff0ec6fff00fc761142a76db750dd4) · 0e443760b8b7b1e6723f4408afa056b2bc4fea12 · < 6.3 (from 6.2.3)
Linux / Linux
6.3
Fixed in 0, 6.18.14, 6.19.4, 7.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available