Skip to main content

Linux Kernel CVE-2026-31636

| EUVDEUVD-2026-25529 CRITICAL
Out-of-bounds Read (CWE-125)
2026-04-24 Linux GHSA-mw37-p938-g4hg
Critical
Disputed · 9.1 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.1 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 20:22 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 20:21 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:39 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
9.1 (CRITICAL)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25529
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:44 nvd
CRITICAL 9.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: fix RESPONSE authenticator parser OOB read

rxgk_verify_authenticator() copies auth_len bytes into a temporary buffer and then passes p + auth_len as the parser limit to rxgk_do_verify_authenticator(). Since p is a __be32 *, that inflates the parser end pointer by a factor of four and lets malformed RESPONSE authenticators read past the kmalloc() buffer.

Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh:

BUG: KASAN: slab-out-of-bounds in rxgk_verify_response() Call Trace: dump_stack_lvl() [lib/dump_stack.c:123] print_report() [mm/kasan/report.c:379 mm/kasan/report.c:482] kasan_report() [mm/kasan/report.c:597] rxgk_verify_response() [net/rxrpc/rxgk.c:1103 net/rxrpc/rxgk.c:1167 net/rxrpc/rxgk.c:1274] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164]

Allocated by task 54: rxgk_verify_response() [include/linux/slab.h:954 net/rxrpc/rxgk.c:1155 net/rxrpc/rxgk.c:1274] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386]

Convert the byte count to __be32 units before constructing the parser limit.

AnalysisAI

Out-of-bounds read in Linux kernel's rxrpc rxgk authentication handler allows remote unauthenticated attackers to trigger information disclosure and denial of service via malformed RESPONSE authenticator packets. The vulnerability stems from incorrect pointer arithmetic in rxgk_verify_authenticator() that inflates the parser boundary check by a factor of four, allowing reads beyond kmalloc() buffer boundaries. Vendor patches available for kernel versions 6.18.23, 6.19.13, and 7.0. EPSS score of 0.02% (4th percentile) suggests low observed exploitation probability despite network attack vector, though KASAN reports confirm reproducibility.

Technical ContextAI

The rxrpc subsystem in the Linux kernel implements the RxRPC remote procedure call protocol, including the rxgk (Rx Generic Kerberos) authentication mechanism. The vulnerability occurs in rxgk_verify_authenticator() where a byte count (auth_len) is used to copy data into a temporary buffer, but the subsequent parser limit calculation treats the pointer as a __be32 pointer (4-byte units) rather than byte-addressed. When computing 'p + auth_len', the compiler performs pointer arithmetic in units of sizeof(__be32), effectively multiplying the intended boundary by four. This allows rxgk_do_verify_authenticator() to read up to four times beyond the allocated buffer when processing malformed RESPONSE authenticators during connection event processing. The issue was detected through KASAN (Kernel Address Sanitizer) slab-out-of-bounds instrumentation in the rxgk_verify_response() call path, which processes network-received authentication responses in kernel workqueue context.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.23, 6.19.13, 7.0, or apply vendor-provided patches from git.kernel.org stable tree (commits 7875f3d9777bd4e9892c4db830571ab8ac2044c0, 20a188775a9a9982d1987e12660d9b44b40a6c99, or 3e3138007887504ee9206d0bfb5acb062c600025). The fix converts byte count to __be32 units before constructing the parser limit, correcting the pointer arithmetic. For systems that cannot immediately patch, disable or unload the rxrpc kernel module if RxRPC protocol support is not required ('rmmod rxrpc' as root, or blacklist via /etc/modprobe.d/blacklist.conf with 'blacklist rxrpc'). Note this breaks AFS and other RxRPC-dependent services. If RxRPC is required but rxgk authentication is not in use, verify rxgk is disabled in configuration. Network-level mitigation is impractical as RxRPC uses dynamic ports. Monitor kernel logs for KASAN slab-out-of-bounds reports in rxgk_verify_response() as potential exploitation indicators. Disabling rxrpc module prevents exploitation but eliminates RxRPC functionality entirely - acceptable for most deployments but unsuitable for AFS infrastructure.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31636 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy