CVE-2026-46114

Source
https://cve.org/CVERecord?id=CVE-2026-46114
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46114.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46114
Downstream
Related
Published
2026-05-28T09:35:24.638Z
Modified
2026-07-15T01:49:15.466588884Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads

atomicwritereply() at drivers/infiniband/sw/rxe/rxeresp.c unconditionally dereferences 8 bytes at payloadaddr(pkt):

value = *(u64 *)payload_addr(pkt);

checkrkey() previously accepted an ATOMICWRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomicwritereply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxemrdoatomicwrite(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).

IBA oA19-28 defines ATOMICWRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into checkrkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.

Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words. With this patch applied the responder rejects the PDU and the MR stays all-zero.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46114.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
034e285f8b99062a0cf29112e1232154a6a44aa5
Fixed
539cabb7b2d8ba70f55bba91db55faef11c2a6d7
Fixed
d415fce3fcde6d7aeea6c25362a395b905811452
Fixed
105bf79a23b85cf3a761d18a4f3e10ce88526bc1
Fixed
7ec1ed4747f5f99f8b797bb438c5efd36079fad5
Fixed
1114c87aa6f195cf07da55a27b2122ae26557b26

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46114.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.140
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.88
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.30
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46114.json"