CVE-2026-46043
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk40th percentile — higher than 40% of all known CVEs
Summary
A vulnerability has been identified in the Linux kernel within the rxe_rcv function, which improperly validates the packet length before calculating the payload size. An attacker could exploit this to trigger an underflow error, potentially leading to security issues.
Risk Assessment
Organizations may be exposed to attacks that exploit this vulnerability to manipulate data or gain control over the system. Specifically, an attacker could send malicious packets that may lead to unpredictable system behavior.
Recommendation
It is recommended to update the Linux kernel to the latest version that includes fixes for this vulnerability. Additionally, monitoring network traffic for suspicious packets can help mitigate the risk.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv rxe_rcv() currently checks only that the incoming packet is at least header_size(pkt) bytes long before payload_size() is used. However, payload_size() subtracts both the attacker-controlled BTH pad field and RXE_ICRC_SIZE from pkt->paylen: payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt) - RXE_ICRC_SIZE This means a short packet can still make payload_size() underflow even if it includes enough bytes for the fixed headers. Simply requiring header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a packet with a forged non-zero BTH pad can still leave payload_size() negative and pass an underflowed value to later receive-path users. Fix this by validating pkt->paylen against the full minimum length required by payload_size(): header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE.

