Skip to main content

Linux Kernel CVE-2026-31635

| EUVDEUVD-2026-25528 HIGH
Improper Handling of Length Parameter Inconsistency (CWE-130)
2026-04-24 Linux GHSA-f5xm-f2m7-vrg6
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 27, 2026 - 20:37 vuln.today
cvss_changed
Analysis Generated
Apr 27, 2026 - 15:38 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.5 (HIGH)
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25528
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:44 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: fix oversized RESPONSE authenticator length check

rxgk_verify_response() decodes auth_len from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE authenticators are accepted and passed to rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an impossible length and hit BUG_ON(len).

Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh:

RIP: __skb_to_sgvec() [net/core/skbuff.c:5285 (discriminator 1)] Call Trace: skb_to_sgvec() [net/core/skbuff.c:5305] rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81] rxgk_verify_response() [net/rxrpc/rxgk.c:1268] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164]

Reject authenticator lengths that exceed the remaining packet payload.

AnalysisAI

Remote denial of service in Linux kernel rxrpc subsystem allows unauthenticated network attackers to trigger kernel crash via malformed rxgk RESPONSE packets. An inverted length check in rxgk_verify_response() accepts oversized authenticators, causing skb_to_sgvec() to hit BUG_ON() and panic the kernel. EPSS exploitation probability is very low (0.02%, 4th percentile), no active exploitation confirmed, and patches are available across stable kernel branches 6.18.23, 6.19.13, and 7.0.

Technical ContextAI

This vulnerability affects the Linux kernel's RxRPC implementation, specifically the rxgk (RxRPC Generic Key) authentication mechanism used for secure transport in the Andrew File System (AFS) protocol. The rxgk_verify_response() function parses incoming RESPONSE authenticator packets and extracts an auth_len field. Due to an inverted conditional check (likely using > instead of <=), the function incorrectly validates authenticator lengths - accepting packets where the declared length exceeds remaining buffer capacity. This malformed length value propagates to rxgk_decrypt_skb(), which invokes skb_to_sgvec() for scatter-gather list construction. The skb_to_sgvec() function contains defensive BUG_ON() assertions that trigger a kernel panic when impossible length parameters are encountered, as seen at net/core/skbuff.c:5285. The vulnerability represents a classic integer validation flaw where inverted comparison logic defeats bounds checking, transforming a denial-of-service condition into a guaranteed kernel crash rather than graceful error handling.

RemediationAI

Primary remediation is upgrading to patched kernel versions: 6.18.23 or later for the 6.18 stable branch, 6.19.13 or later for 6.19 stable, or 7.0 for mainline kernels. Apply patches from upstream commits beee051f259a, e2f1a80d8b1e, or a2567217ade9 depending on your kernel branch - verify with your distribution's security advisory process. If immediate patching is not feasible, disable RxRPC support by blacklisting the rxrpc kernel module (echo 'blacklist rxrpc' > /etc/modprobe.d/disable-rxrpc.conf && rmmod rxrpc) or recompile kernel without CONFIG_AF_RXRPC - note this will break AFS client/server functionality. For AFS-dependent environments unable to patch, implement network-level controls: restrict UDP port 7001 (AFS callback) and TCP/UDP 7000 (file server) to trusted AFS infrastructure using iptables/nftables rules. This reduces attack surface but does not eliminate risk from compromised internal systems. Compensating controls trade AFS availability for security - assess operational impact before deployment. Monitor kernel logs for rxgk-related crashes (BUG_ON in skb_to_sgvec) as potential exploitation indicators.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31635 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy