CVE-2026-31635
Description
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: fix oversized RESPONSE authenticator length check
rxgk_verify_response() decodes auth_len from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE authenticators are accepted and passed to rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an impossible length and hit BUG_ON(len).
Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh:
RIP: __skb_to_sgvec() [net/core/skbuff.c:5285 (discriminator 1)] Call Trace: skb_to_sgvec() [net/core/skbuff.c:5305] rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81] rxgk_verify_response() [net/rxrpc/rxgk.c:1268] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164]
Reject authenticator lengths that exceed the remaining packet payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Inverted length check in Linux kernel's rxrpc allows oversized RESPONSE authenticators, causing a kernel panic (BUG_ON) in skb_to_sgvec().
Vulnerability
Overview
CVE-2026-31635 is a logic error in the Linux kernel's RxRPC (rxrpc) implementation. The function rxgk_verify_response() decodes an auth_len field from incoming RESPONSE packets and is supposed to verify that it fits within the remaining packet payload. However, the length check is inverted, so oversized authenticator lengths are accepted and passed to rxgk_decrypt_skb() [1].
Exploitation
An unauthenticated remote attacker can craft a RESPONSE packet with an auth_len value that exceeds the actual remaining data. When the kernel processes this packet, the oversized length is forwarded to rxgk_decrypt_skb(), which eventually calls skb_to_sgvec() with an impossible length, triggering a BUG_ON and causing a kernel panic [1]. No special privileges or local access are required; the attack is purely network-based against an RxRPC connection.
Impact
Successful exploitation results in a denial-of-service (DoS) condition via kernel panic. The crash trace shows the panic originates in __skb_to_sgvec() and propagates through the RxRPC connection worker thread [1]. A proof-of-concept exploit (dubbed "DirtyDecrypt") has been published, demonstrating the vulnerability [4].
Mitigation
The fix corrects the inverted length check by rejecting authenticator lengths that exceed the remaining packet payload [1][2][3]. Patches have been applied to the mainline Linux kernel and are available in stable branches. Users should update their kernels to the latest patched versions to mitigate this vulnerability.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.16.1,<6.18.23
- cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
1- Exploit available for new DirtyDecrypt Linux root escalation flawBleepingComputer · May 18, 2026