{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "8700e3e7c4857d28ebaa824509934556da0b3e76"
            },
            {
              "fixed": "c4376c672c3648d5bdc31dfffc329d07164f93c4"
            },
            {
              "fixed": "5fedefec757192dcaad29a664ac332c7601be144"
            },
            {
              "fixed": "2c0d71ef12f46c57d37bc571f3f2797db7eb50cc"
            },
            {
              "fixed": "2fd4f8b749309a61c3f3f88ee8891d94f79e1240"
            },
            {
              "fixed": "f83519a4c122c9c7a850a2197648a9ff4c67c520"
            },
            {
              "fixed": "9b924f3a26b21330a837cfe72e819b6393bbeeaa"
            },
            {
              "fixed": "e8ee0e792d475b1067c199ef0af1b6221fa6f43d"
            },
            {
              "fixed": "7244491dab347f648e661da96dc0febadd9daec3"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.8.0"
            },
            {
              "fixed": "5.10.258"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.11.0"
            },
            {
              "fixed": "5.15.209"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.16.0"
            },
            {
              "fixed": "6.1.175"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.140"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.86"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.27"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46043.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\n\nrxe_rcv() currently checks only that the incoming packet is at least\nheader_size(pkt) bytes long before payload_size() is used.\n\nHowever, payload_size() subtracts both the attacker-controlled BTH pad\nfield and RXE_ICRC_SIZE from pkt-\u003epaylen:\n\n  payload_size = pkt-\u003epaylen - offset[RXE_PAYLOAD] - bth_pad(pkt)\n                 - RXE_ICRC_SIZE\n\nThis means a short packet can still make payload_size() underflow even\nif it includes enough bytes for the fixed headers. Simply requiring\nheader_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a\npacket with a forged non-zero BTH pad can still leave payload_size()\nnegative and pass an underflowed value to later receive-path users.\n\nFix this by validating pkt-\u003epaylen against the full minimum length\nrequired by payload_size(): header_size(pkt) + bth_pad(pkt) +\nRXE_ICRC_SIZE.",
  "id": "CVE-2026-46043",
  "modified": "2026-07-08T05:38:44.061170593Z",
  "published": "2026-05-27T12:56:57.987Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2c0d71ef12f46c57d37bc571f3f2797db7eb50cc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2fd4f8b749309a61c3f3f88ee8891d94f79e1240"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5fedefec757192dcaad29a664ac332c7601be144"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7244491dab347f648e661da96dc0febadd9daec3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9b924f3a26b21330a837cfe72e819b6393bbeeaa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c4376c672c3648d5bdc31dfffc329d07164f93c4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e8ee0e792d475b1067c199ef0af1b6221fa6f43d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f83519a4c122c9c7a850a2197648a9ff4c67c520"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46043.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46043"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv"
}