CVE-2026-46325 Overview
CVE-2026-46325 is a Linux kernel vulnerability in the Soft RoCE (RDMA over Converged Ethernet) driver, RDMA/rxe. The flaw resides in the iova-to-va (I/O virtual address to virtual address) conversion logic for memory regions (MRs) when the MR page_size differs from the system PAGE_SIZE. The rxe_set_page() function increments by mr->page_size, while the page list stores per-PAGE_SIZEstruct page pointers, producing incorrect address translations. A previously reported kernel panic confirms the defect is reachable from RDMA workloads. The issue affects deployments mixing 4K and 64K page-size hosts with RDMA traffic over rxe.
Critical Impact
Incorrect virtual address resolution in the kernel RDMA path can result in memory corruption, kernel panics, and denial of service on systems running Soft RoCE.
Affected Products
- Linux kernel — drivers/infiniband/sw/rxe (Soft RoCE driver)
- Systems using RDMA memory regions where mr->page_size differs from system PAGE_SIZE (e.g., 4K MR on 64K hosts, or 64K MR on 4K hosts)
- Workloads using rdma-core, NVMe-oF/RDMA, SRP, and RNBD over rxe
Discovery Timeline
- 2026-06-09 - CVE-2026-46325 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-46325
Vulnerability Analysis
The Soft RoCE driver maintains a mapping from I/O virtual addresses to host kernel virtual addresses for registered memory regions. The original implementation used an xarray indexed by an offset computed from mr->page_size, while the entries themselves represented PAGE_SIZE-granular struct page pointers. When the MR page size and system page size diverge, the index calculation and the page-offset masking operate on inconsistent units, producing a virtual address that points to unrelated memory.
The commit message documents two reproducible cases. When page_size (4K) is smaller than PAGE_SIZE (64K), an access at iova 0x182010 resolves to 0x170010 instead of the expected 0x173010. When page_size (64K) exceeds PAGE_SIZE (4K), an access at iova 0x190010 similarly resolves to a wrong page base. Both cases yield reads or writes against memory the verb consumer never registered.
Root Cause
The defect is an input validation and boundary error in rxe_set_page() and the surrounding MR translation logic. The function steps through scatter-gather entries in mr->page_size increments but stores one entry per system page, breaking the invariant required for correct indexing. The fix replaces the xarray with a pre-allocated rxe_mr_page array that stores both a struct page * and an offset within the system page, and explicitly handles the page_size > PAGE_SIZE and page_size <= PAGE_SIZE cases with boundary checks.
Attack Vector
Exploitation requires the ability to submit RDMA operations through the rxe driver, typically available to local processes with access to the RDMA verbs interface or to remote peers across an RDMA fabric reachable by the host. Malformed or mismatched MR registrations trigger the incorrect translation, producing kernel panics or unintended memory access. The referenced upstream report describes a reproducible kernel panic from standard RDMA tooling.
No verified public exploit code is available. Technical details are documented in the upstream commits: 12985e5915a0, 409c2c5508f3, and 836f6c13c967.
Detection Methods for CVE-2026-46325
Indicators of Compromise
- Kernel panics or oops traces referencing rxe_mr, rxe_set_page, or ib_sg_to_page in the call stack.
- Unexpected BUG: or general protection fault messages on hosts running Soft RoCE with mixed MR/system page sizes.
- RDMA verb failures or data integrity errors from NVMe-oF, SRP, or RNBD workloads using rxe.
Detection Strategies
- Inventory kernel versions across Linux hosts and identify systems running the rdma_rxe module with lsmod | grep rdma_rxe.
- Correlate dmesg and kernel crash dumps for stack traces involving the rxe driver to identify systems hitting the defect.
- Audit MR registration patterns in RDMA-consuming applications to detect page_size values that differ from host PAGE_SIZE.
Monitoring Recommendations
- Forward /var/log/kern.log, journalctl -k, and kdump artifacts to a centralized log platform for stack trace analysis.
- Alert on repeated kernel oops events on hosts exposing RDMA interfaces.
- Track patch state of the Linux kernel against the upstream stable commits referenced for this CVE.
How to Mitigate CVE-2026-46325
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the CVE record to all hosts running the rdma_rxe driver.
- Where patching is not immediate, unload the rdma_rxe module on systems that do not require Soft RoCE: modprobe -r rdma_rxe.
- Restrict access to RDMA verb interfaces to trusted processes and network peers.
Patch Information
The issue is resolved by the upstream kernel commits 12985e5915a0, 409c2c5508f3, and 836f6c13c967. The fix replaces the xarray with a pre-allocated rxe_mr_page array, stores both struct page * and intra-page offset, splits MR pages when page_size > PAGE_SIZE, and adds boundary and compatibility checks. Validation was performed using rdma-core pytests and blktest on both 4K and 64K PAGE_SIZE hosts.
Workarounds
- Disable the Soft RoCE driver on hosts that do not require it by blacklisting the rdma_rxe module.
- Avoid registering memory regions whose page_size differs from the host PAGE_SIZE until the patch is deployed.
- Segment RDMA fabrics so that only trusted hosts can issue verbs against vulnerable kernels.
# Blacklist the Soft RoCE driver until the kernel is patched
echo 'blacklist rdma_rxe' | sudo tee /etc/modprobe.d/disable-rxe.conf
sudo modprobe -r rdma_rxe
# Verify the module is no longer loaded
lsmod | grep rdma_rxe || echo "rdma_rxe not loaded"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
