DEBIAN-CVE-2026-46043

In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Validate pad and ICRC before payloadsize() in rxercv  rxercv() currently checks only that the incoming packet is at least headersize(pkt) bytes long before payloadsize() is used.  However, payloadsize() subtracts both the attacker-controlled BTH pad field and RXEICRCSIZE from pkt->paylen:    payloadsize = pkt->paylen - offset[RXEPAYLOAD] - bthpad(pkt)                  - RXEICRCSIZE  This means a short packet can still make payloadsize() underflow even if it includes enough bytes for the fixed headers. Simply requiring headersize(pkt) + RXEICRCSIZE is not sufficient either, because a packet with a forged non-zero BTH pad can still leave payloadsize() negative and pass an underflowed value to later receive-path users.  Fix this by validating pkt->paylen against the full minimum length required by payloadsize(): headersize(pkt) + bthpad(pkt) + RXEICRC_SIZE.