{"id":"CVE-2026-46043","summary":"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\n\nrxe_rcv() currently checks only that the incoming packet is at least\nheader_size(pkt) bytes long before payload_size() is used.\n\nHowever, payload_size() subtracts both the attacker-controlled BTH pad\nfield and RXE_ICRC_SIZE from pkt-\u003epaylen:\n\n  payload_size = pkt-\u003epaylen - offset[RXE_PAYLOAD] - bth_pad(pkt)\n                 - RXE_ICRC_SIZE\n\nThis means a short packet can still make payload_size() underflow even\nif it includes enough bytes for the fixed headers. Simply requiring\nheader_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a\npacket with a forged non-zero BTH pad can still leave payload_size()\nnegative and pass an underflowed value to later receive-path users.\n\nFix this by validating pkt-\u003epaylen against the full minimum length\nrequired by payload_size(): header_size(pkt) + bth_pad(pkt) +\nRXE_ICRC_SIZE.","modified":"2026-06-11T12:29:12.738991717Z","published":"2026-05-27T12:56:57.987Z","related":["SUSE-SU-2026:2310-1","SUSE-SU-2026:2331-1","SUSE-SU-2026:2332-1","openSUSE-SU-2026:10954-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46043.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2c0d71ef12f46c57d37bc571f3f2797db7eb50cc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2fd4f8b749309a61c3f3f88ee8891d94f79e1240"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5fedefec757192dcaad29a664ac332c7601be144"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7244491dab347f648e661da96dc0febadd9daec3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9b924f3a26b21330a837cfe72e819b6393bbeeaa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c4376c672c3648d5bdc31dfffc329d07164f93c4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e8ee0e792d475b1067c199ef0af1b6221fa6f43d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f83519a4c122c9c7a850a2197648a9ff4c67c520"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46043.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46043"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8700e3e7c4857d28ebaa824509934556da0b3e76"},{"fixed":"c4376c672c3648d5bdc31dfffc329d07164f93c4"},{"fixed":"5fedefec757192dcaad29a664ac332c7601be144"},{"fixed":"2c0d71ef12f46c57d37bc571f3f2797db7eb50cc"},{"fixed":"2fd4f8b749309a61c3f3f88ee8891d94f79e1240"},{"fixed":"f83519a4c122c9c7a850a2197648a9ff4c67c520"},{"fixed":"9b924f3a26b21330a837cfe72e819b6393bbeeaa"},{"fixed":"e8ee0e792d475b1067c199ef0af1b6221fa6f43d"},{"fixed":"7244491dab347f648e661da96dc0febadd9daec3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46043.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.8.0"},{"fixed":"5.10.258"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.140"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.86"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.27"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46043.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"}]}