APPLIED: [SRU][N][PATCH 0/1] CVE-2026-46325

Stefan Bader stefan.bader at canonical.com
Tue Jul 14 15:05:20 UTC 2026


On 24/06/2026 10:37, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-46325
> 
> [ Impact ]
> 
> The RDMA/rxe driver incorrectly handles memory regions (MRs) whose page size
> differs from the system PAGE_SIZE. Because rxe_set_page() advances by
> mr->page_size increments while the page_list stores individual PAGE_SIZE struct
> page pointers, iova-to-va conversion produces an incorrect virtual address
> whenever the MR page size is smaller or larger than PAGE_SIZE. This can cause
> memory accesses to resolve to the wrong page, leading to data corruption or a
> kernel panic, and carries a CVSS score of 9.8.
> 
> [ Fix ]
> 
> noble: backported with AI-assisted adaptation
> 
> [ Test Plan ]
> 
> Boot tested.
> 
> [ Where Problems Could Occur ]
> 
> A regression in this change could break iova-to-va translation in the RDMA/rxe
> (soft RoCE) driver, resulting in incorrect memory region accesses, data
> corruption, or crashes for RDMA workloads. The reworked rxe_mr_page array
> indexing and boundary checks could also introduce issues on hosts with non-
> default PAGE_SIZE (such as 64K) if the page-size handling is incorrect.
> 

Applied to noble:linux/master-next. Thanks.

-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/bf31d075/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/bf31d075/attachment-0001.sig>


More information about the kernel-team mailing list