CVE-2026-31630
Description
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: proc: size address buffers for %pISpc output
The AF_RXRPC procfs helpers format local and remote socket addresses into fixed 50-byte stack buffers with "%pISpc".
That is too small for the longest current-tree IPv6-with-port form the formatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a dotted-quad tail not only for v4mapped addresses, but also for ISATAP addresses via ipv6_addr_is_isatap().
As a result, a case such as
[ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535
is possible with the current formatter. That is 50 visible characters, so 51 bytes including the trailing NUL, which does not fit in the existing char[50] buffers used by net/rxrpc/proc.c.
Size the buffers from the formatter's maximum textual form and switch the call sites to scnprintf().
Changes since v1: - correct the changelog to cite the actual maximum current-tree case explicitly - frame the proof around the ISATAP formatting path instead of the earlier mapped-v4 example
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer overflow in Linux kernel's rxrpc procfs exposes up to 51-character IPv6 addresses via fixed 50-byte stack buffers.
Vulnerability
The AF_RXRPC procfs helpers in the Linux kernel format local and remote socket addresses into fixed 50-byte stack buffers using the "%pISpc" format specifier. This buffer size is insufficient for the longest possible IPv6-with-port representation the formatter can produce, such as [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535, which is 50 characters plus a trailing NUL (51 bytes total). The compressed IPv6 path generates such strings for ISATAP addresses, exceeding the 50-byte limit and causing a stack buffer overflow [1].
Exploitation
The vulnerability is present in net/rxrpc/proc.c and can be triggered by local users or processes with access to the rxrpc procfs interface. No special privileges beyond being able to read/write the procfs entries are required, as the overflow occurs during normal formatting of network addresses stored in kernel structures. An attacker cannot directly control the content that overflows, but the overflow can corrupt adjacent stack data, potentially leading to control-flow hijack.
Impact
A successful exploit may overwrite stack memory, enabling local privilege escalation or kernel crash (denial of service). Given the CVSS score of 7.8, the impact is considered high, with low attack complexity and no user interaction required beyond local access.
Mitigation
The fix sizes the buffers to accommodate the maximum textual form and switches the call sites to scnprintf() to prevent overflows. Patches are available in the Linux stable repository for affected kernel versions [1][2][3]. System administrators should apply the latest kernel updates to address this CVE.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=4.9.1,<6.18.23
- cpe:2.3:o:linux:linux_kernel:4.9:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.