rxrpc: Fix integer overflow in rxgk_verify_response()
Summary
| CVE | CVE-2026-31633 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-24 15:16:42 UTC |
| Updated | 2026-04-27 20:30:33 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix integer overflow in rxgk_verify_response() In rxgk_verify_response(), there's a potential integer overflow due to rounding up token_len before checking it, thereby allowing the length check to be bypassed. Fix this by checking the unrounded value against len too (len is limited as the response must fit in a single UDP packet). |
Risk And Classification
Primary CVSS: v3.1 9.8 CRITICAL from 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.000170000 probability, percentile 0.040590000 (date 2026-04-27)
Problem Types: CWE-190
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | Secondary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 9d1d2b59341f58126a69b51f9f5f8ccb9f12e54a 1f864d9daaf622aeaa774404fd51e7d6a435b046 git | Not specified |
| CNA | Linux | Linux | affected 9d1d2b59341f58126a69b51f9f5f8ccb9f12e54a c1e242beb6b1efc3c286f617e8d940c8fbf2ed41 git | Not specified |
| CNA | Linux | Linux | affected 9d1d2b59341f58126a69b51f9f5f8ccb9f12e54a 699e52180f4231c257821c037ed5c99d5eb0edb8 git | Not specified |
| CNA | Linux | Linux | affected 6.16 | Not specified |
| CNA | Linux | Linux | unaffected 6.16 semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.23 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19.13 6.19.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/699e52180f4231c257821c037ed5c99d5eb0edb8 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/1f864d9daaf622aeaa774404fd51e7d6a435b046 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/c1e242beb6b1efc3c286f617e8d940c8fbf2ed41 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.