HOMEVULNERABILITIESCVE-2026-46114
HIGH

CVE-2026-46114

Published: May 28, 2026· Updated: May 30, 2026

7.5
CVSS v3.1
EPSS:0.05%probability of exploitation in 30 daysPercentile:16.6th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads

atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c

unconditionally dereferences 8 bytes at payload_addr(pkt):

value = *(u64 *)payload_addr(pkt);

check_rkey() previously accepted an ATOMIC_WRITE request with pktlen ==

resid == 0 because the length validation only compared pktlen against

resid. A remote initiator that sets the RETH length to 0 therefore reaches

atomic_write_reply() with a zero-byte logical payload, and the responder

reads sizeof(u64) bytes from past the logical end of the packet into

skb->head tailroom, then writes those 8 bytes into the attacker's MR via

rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel

tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).

IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is

protocol-invalid. Hoist a strict length check into check_rkey() so the

responder never reaches the unchecked dereference, and keep the existing

WRITE-family length logic for the normal RDMA WRITE path.

Reproduced on mainline with an unmodified rxe driver: a sustained

zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer

bytes into the attacker's MR, including recognisable kernel strings and

partial kernel-direct-map pointer words. With this patch applied the

responder rejects the PDU and the MR stays all-zero.

NVD Source

Technical Analysis

CVE-2026-46114 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in complete confidentiality breach (data exposure), with a CVSS base score of 7.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityNone
AvailabilityNone
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (5)

Quick Facts

CVE IDCVE-2026-46114
CVSS Score7.5 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.05%
PublishedMay 28, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-46114 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.