{
  "affected": [
    {
      "ecosystem_specific": {
        "urgency": "not yet assigned"
      },
      "package": {
        "ecosystem": "Debian:11",
        "name": "linux"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.10.259-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "ecosystem_specific": {
        "urgency": "not yet assigned"
      },
      "package": {
        "ecosystem": "Debian:12",
        "name": "linux"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.1.176-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "ecosystem_specific": {
        "urgency": "not yet assigned"
      },
      "package": {
        "ecosystem": "Debian:13",
        "name": "linux"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.12.88-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "ecosystem_specific": {
        "urgency": "not yet assigned"
      },
      "package": {
        "ecosystem": "Debian:14",
        "name": "linux"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.7-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "ecosystem_specific": {
        "urgency": "not yet assigned"
      },
      "package": {
        "ecosystem": "Debian:11",
        "name": "linux-6.1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.1.176-1~deb11u1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject unknown opcodes before ICRC processing  Even after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\"), a single unauthenticated UDP packet can still trigger panic.  That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode.  The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.  The check added there reads      pkt-\u003epaylen \u003c header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE  where header_size(pkt) expands to rxe_opcode[pkt-\u003eopcode].length.  The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to      pkt-\u003epaylen \u003c 0 + bth_pad(pkt) + RXE_ICRC_SIZE  which does not constrain pkt-\u003epaylen enough.  rxe_icrc_hdr() then computes      rxe_opcode[pkt-\u003eopcode].length - RXE_BTH_BYTES  which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.  Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after      rdma link add rxe0 type rxe netdev eth0  A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:      BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170     Read of size 1 at addr ...     The buggy address is located 0 bytes to the right of      allocated 704-byte region     Call Trace:      crc32_le+0x115/0x170      rxe_icrc_hdr.isra.0+0x226/0x300      rxe_icrc_check+0x13f/0x3a0      rxe_rcv+0x6e1/0x16e0      rxe_udp_encap_recv+0x20a/0x320      udp_queue_rcv_one_skb+0x7ed/0x12c0  Subsequent packets with the same shape fault on unmapped memory and panic the kernel.  The trigger requires only module load and \"rdma link add\"; no QP, no connection, and no authentication.  Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.",
  "id": "DEBIAN-CVE-2026-46133",
  "modified": "2026-07-05T19:48:17.317945806Z",
  "published": "2026-05-28T10:16:28.863Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://security-tracker.debian.org/tracker/CVE-2026-46133"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "upstream": [
    "CVE-2026-46133"
  ]
}