rxrpc: fix oversized RESPONSE authenticator length check

CVE	CVE-2026-31635
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-04-24 15:16:42 UTC
Updated	2026-05-18 15:16:25 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgk_verify_response() decodes auth_len from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE authenticators are accepted and passed to rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an impossible length and hit BUG_ON(len). Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh: RIP: __skb_to_sgvec() [net/core/skbuff.c:5285 (discriminator 1)] Call Trace: skb_to_sgvec() [net/core/skbuff.c:5305] rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81] rxgk_verify_response() [net/rxrpc/rxgk.c:1268] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164] Reject authenticator lengths that exceed the remaining packet payload.

Primary CVSS: v3.1 7.5 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS: 0.000170000 probability, percentile 0.040590000 (date 2026-04-27)

Problem Types: NVD-CWE-noinfo | CWE-130 | CWE-130 CWE-130 Improper Handling of Length Parameter Inconsistency

Version	Source	Type	Score	Severity	Vector
3.1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	Secondary	7.5	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
3.1	CNA	DECLARED	7.5	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 9d1d2b59341f58126a69b51f9f5f8ccb9f12e54a beee051f259acd286fed64c32c2b31e6f5097eb5 git	Not specified
CNA	Linux	Linux	affected 9d1d2b59341f58126a69b51f9f5f8ccb9f12e54a e2f1a80d8b1ed6a5ae585a399c2b46500bdcc305 git	Not specified
CNA	Linux	Linux	affected 9d1d2b59341f58126a69b51f9f5f8ccb9f12e54a a2567217ade970ecc458144b6be469bc015b23e5 git	Not specified
CNA	Linux	Linux	affected 6.16	Not specified
CNA	Linux	Linux	unaffected 6.16 semver	Not specified
CNA	Linux	Linux	unaffected 6.18.23 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.13 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

Reference	Source	Link	Tags
git.kernel.org/stable/c/beee051f259acd286fed64c32c2b31e6f5097eb5	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/e2f1a80d8b1ed6a5ae585a399c2b46500bdcc305	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
github.com/v12-security/pocs/tree/main/dirtydecrypt	134c704f-9b21-4f2e-91b3-4a467353bcc0	github.com
git.kernel.org/stable/c/a2567217ade970ecc458144b6be469bc015b23e5	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.