Skip to main content

Linux Kernel CVE-2026-31630

| EUVDEUVD-2026-25523 HIGH
2026-04-24 Linux GHSA-9g7x-mw42-qjmh
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 20:37 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 20:30 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:37 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.8 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25523
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:44 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: proc: size address buffers for %pISpc output

The AF_RXRPC procfs helpers format local and remote socket addresses into fixed 50-byte stack buffers with "%pISpc".

That is too small for the longest current-tree IPv6-with-port form the formatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a dotted-quad tail not only for v4mapped addresses, but also for ISATAP addresses via ipv6_addr_is_isatap().

As a result, a case such as

[ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535

is possible with the current formatter. That is 50 visible characters, so 51 bytes including the trailing NUL, which does not fit in the existing char[50] buffers used by net/rxrpc/proc.c.

Size the buffers from the formatter's maximum textual form and switch the call sites to scnprintf().

Changes since v1:

  • correct the changelog to cite the actual maximum current-tree case

explicitly

  • frame the proof around the ISATAP formatting path instead of the earlier

mapped-v4 example

AnalysisAI

Buffer overflow in Linux kernel's AF_RXRPC procfs address formatting allows local authenticated users to corrupt memory and potentially escalate privileges. The vulnerability affects rxrpc proc handlers that write IPv6 socket addresses into 50-byte stack buffers, but ISATAP-format IPv6 addresses with ports can require 51 bytes, causing single-byte overflow. EPSS exploitation probability is low (0.02%, 4th percentile), and patches are available from kernel.org for versions 6.18.23, 6.19.13, and mainline 7.0. No active exploitation confirmed (not in CISA KEV), and CVSS 7.8 reflects local-only attack vector requiring authenticated access.

Technical ContextAI

AF_RXRPC is the Linux kernel's transport protocol implementation for the RxRPC protocol used by AFS (Andrew File System). The vulnerability exists in net/rxrpc/proc.c where procfs handlers format local and remote socket addresses using the kernel's %pISpc format specifier. This specifier can produce compressed IPv6 representations including ISATAP addresses (IPv6 over IPv4 tunneling mechanism) detected via ipv6_addr_is_isatap() in lib/vsprintf.c. When an ISATAP address like [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535 is formatted, it produces 50 visible characters plus a null terminator (51 bytes total), overflowing the fixed char[50] stack buffers. This is a classic stack-based buffer overflow (CWE-121 implied by behavior) caused by insufficient buffer sizing for worst-case formatter output. The CPE strings indicate broad kernel version exposure across the 4.9+ lineage where rxrpc procfs support exists.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.23 or later in the 6.18.x stable series (commit db297c78ce537c9ac96f0eda9b25ad72c8caefa7), 6.19.13 or later in 6.19.x series (commit 10ebed83f9f6414af4e85bc85ffaeda7effdd874), or mainline kernel 7.0 and above (commit a44ce6aa2efb61fe44f2cfab72bb01544bbca272). Patches are available at https://git.kernel.org/stable/ per the NVD references. For systems that cannot immediately upgrade, disable the rxrpc kernel module if not required for operational services by adding 'install rxrpc /bin/true' to /etc/modprobe.d/blacklist.conf and running 'rmmod rxrpc' if currently loaded; this mitigation prevents module loading but breaks AFS and any other RxRPC-dependent functionality, making it unsuitable for AFS fileserver environments. Restrict local user access and monitor for unexpected rxrpc procfs access (/proc/net/rxrpc/*) as a detective control, though this does not prevent exploitation by authorized users. Priority patching recommended for multi-user systems and AFS deployments within standard maintenance windows given local-only attack vector.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31630 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy