Skip to main content

Linux Kernel EUVDEUVD-2026-25526

| CVE-2026-31633 CRITICAL
Integer Overflow or Wraparound (CWE-190)
2026-04-24 Linux GHSA-5j64-84jf-59q3
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 20:37 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 20:30 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:38 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
9.8 (CRITICAL)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25526
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:44 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix integer overflow in rxgk_verify_response()

In rxgk_verify_response(), there's a potential integer overflow due to rounding up token_len before checking it, thereby allowing the length check to be bypassed.

Fix this by checking the unrounded value against len too (len is limited as the response must fit in a single UDP packet).

AnalysisAI

Integer overflow in Linux kernel's rxrpc rxgk_verify_response() function allows remote unauthenticated attackers to bypass length validation checks and potentially achieve arbitrary code execution. The vulnerability exists in the rxrpc protocol implementation where token_len rounding occurs before validation, enabling buffer overflow conditions. With CVSS 9.8 (critical severity) and network attack vector requiring no authentication, this represents a significant exposure despite low EPSS score (0.02%, 4th percentile), suggesting limited real-world exploitation observed to date. Vendor patches are available across multiple stable kernel versions (6.18.23, 6.19.13, 7.0).

Technical ContextAI

The rxrpc protocol in the Linux kernel implements the RX protocol suite used for remote procedure calls, notably in AFS (Andrew File System) networking. The rxgk_verify_response() function handles authentication token verification in the RXGK security mechanism. The vulnerability stems from a classic TOCTOU (time-of-check-time-of-use) integer overflow: token_len is rounded up (likely for alignment purposes) before the length validation check, allowing an attacker to craft a token_len value that passes validation after rounding but exceeds the actual buffer size allocated. The response data arrives in a single UDP packet, nominally limiting the exploitable range, but the overflow still enables memory corruption. This represents CWE-190 (Integer Overflow) leading to CWE-120 (Buffer Overflow), though NVD has not yet assigned a formal CWE classification. The affected code path is in the kernel's network stack, executing with kernel privileges.

RemediationAI

Update to patched Linux kernel versions: 7.0 or later for mainline users, 6.19.13 or later for 6.19.x stable branch, or 6.18.23 or later for 6.18.x stable branch. Specific fix commits are c1e242beb6b1efc3c286f617e8d940c8fbf2ed41 (6.18), 1f864d9daaf622aeaa774404fd51e7d6a435b046 (6.19), and 699e52180f4231c257821c037ed5c99d5eb0edb8 (mainline). Distribution-specific kernel updates should be applied via normal package management channels (apt, yum, dnf, zypper) as vendors backport the fix. For systems unable to immediately patch, disable the rxrpc kernel module if not required for AFS or other RX protocol services using 'modprobe -r rxrpc' and blacklisting via '/etc/modprobe.d/blacklist-rxrpc.conf' containing 'blacklist rxrpc'. Note this mitigation breaks AFS client functionality and any applications depending on rxrpc sockets. Alternatively, implement network-level controls to restrict UDP traffic to rxrpc service ports (typically 7001) to only trusted administrative networks, reducing attack surface to insider threats. This partial mitigation does not eliminate risk from authenticated network positions. Verify rxrpc module is not loaded with 'lsmod | grep rxrpc' post-mitigation.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-25526 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy