CVE-2026-31636
Description
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: fix RESPONSE authenticator parser OOB read
rxgk_verify_authenticator() copies auth_len bytes into a temporary buffer and then passes p + auth_len as the parser limit to rxgk_do_verify_authenticator(). Since p is a __be32 *, that inflates the parser end pointer by a factor of four and lets malformed RESPONSE authenticators read past the kmalloc() buffer.
Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh:
BUG: KASAN: slab-out-of-bounds in rxgk_verify_response() Call Trace: dump_stack_lvl() [lib/dump_stack.c:123] print_report() [mm/kasan/report.c:379 mm/kasan/report.c:482] kasan_report() [mm/kasan/report.c:597] rxgk_verify_response() [net/rxrpc/rxgk.c:1103 net/rxrpc/rxgk.c:1167 net/rxrpc/rxgk.c:1274] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164]
Allocated by task 54: rxgk_verify_response() [include/linux/slab.h:954 net/rxrpc/rxgk.c:1155 net/rxrpc/rxgk.c:1274] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386]
Convert the byte count to __be32 units before constructing the parser limit.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
84cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.16.1,<6.18.23
- cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
- osv-coords75 versionspkg:rpm/almalinux/kernelpkg:rpm/almalinux/kernel-64kpkg:rpm/almalinux/kernel-64k-corepkg:rpm/almalinux/kernel-64k-debugpkg:rpm/almalinux/kernel-64k-debug-corepkg:rpm/almalinux/kernel-64k-debug-develpkg:rpm/almalinux/kernel-64k-debug-devel-matchedpkg:rpm/almalinux/kernel-64k-debug-modulespkg:rpm/almalinux/kernel-64k-debug-modules-corepkg:rpm/almalinux/kernel-64k-debug-modules-extrapkg:rpm/almalinux/kernel-64k-develpkg:rpm/almalinux/kernel-64k-devel-matchedpkg:rpm/almalinux/kernel-64k-modulespkg:rpm/almalinux/kernel-64k-modules-corepkg:rpm/almalinux/kernel-64k-modules-extrapkg:rpm/almalinux/kernel-abi-stablelistspkg:rpm/almalinux/kernel-corepkg:rpm/almalinux/kernel-cross-headerspkg:rpm/almalinux/kernel-debugpkg:rpm/almalinux/kernel-debug-corepkg:rpm/almalinux/kernel-debug-develpkg:rpm/almalinux/kernel-debug-devel-matchedpkg:rpm/almalinux/kernel-debug-modulespkg:rpm/almalinux/kernel-debug-modules-corepkg:rpm/almalinux/kernel-debug-modules-extrapkg:rpm/almalinux/kernel-debug-uki-virtpkg:rpm/almalinux/kernel-develpkg:rpm/almalinux/kernel-devel-matchedpkg:rpm/almalinux/kernel-docpkg:rpm/almalinux/kernel-headerspkg:rpm/almalinux/kernel-modulespkg:rpm/almalinux/kernel-modules-corepkg:rpm/almalinux/kernel-modules-extrapkg:rpm/almalinux/kernel-modules-extra-matchedpkg:rpm/almalinux/kernel-rtpkg:rpm/almalinux/kernel-rt-64kpkg:rpm/almalinux/kernel-rt-64k-corepkg:rpm/almalinux/kernel-rt-64k-debugpkg:rpm/almalinux/kernel-rt-64k-debug-corepkg:rpm/almalinux/kernel-rt-64k-debug-develpkg:rpm/almalinux/kernel-rt-64k-debug-modulespkg:rpm/almalinux/kernel-rt-64k-debug-modules-corepkg:rpm/almalinux/kernel-rt-64k-debug-modules-extrapkg:rpm/almalinux/kernel-rt-64k-develpkg:rpm/almalinux/kernel-rt-64k-modulespkg:rpm/almalinux/kernel-rt-64k-modules-corepkg:rpm/almalinux/kernel-rt-64k-modules-extrapkg:rpm/almalinux/kernel-rt-corepkg:rpm/almalinux/kernel-rt-debugpkg:rpm/almalinux/kernel-rt-debug-corepkg:rpm/almalinux/kernel-rt-debug-develpkg:rpm/almalinux/kernel-rt-debug-modulespkg:rpm/almalinux/kernel-rt-debug-modules-corepkg:rpm/almalinux/kernel-rt-debug-modules-extrapkg:rpm/almalinux/kernel-rt-develpkg:rpm/almalinux/kernel-rt-modulespkg:rpm/almalinux/kernel-rt-modules-corepkg:rpm/almalinux/kernel-rt-modules-extrapkg:rpm/almalinux/kernel-toolspkg:rpm/almalinux/kernel-tools-libspkg:rpm/almalinux/kernel-tools-libs-develpkg:rpm/almalinux/kernel-uki-virtpkg:rpm/almalinux/kernel-uki-virt-addonspkg:rpm/almalinux/kernel-zfcpdumppkg:rpm/almalinux/kernel-zfcpdump-corepkg:rpm/almalinux/kernel-zfcpdump-develpkg:rpm/almalinux/kernel-zfcpdump-devel-matchedpkg:rpm/almalinux/kernel-zfcpdump-modulespkg:rpm/almalinux/kernel-zfcpdump-modules-corepkg:rpm/almalinux/kernel-zfcpdump-modules-extrapkg:rpm/almalinux/libperfpkg:rpm/almalinux/perfpkg:rpm/almalinux/python3-perfpkg:rpm/almalinux/rtlapkg:rpm/almalinux/rv
< 6.12.0-211.28.1.el10_2+ 74 more
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
- (no CPE)range: < 6.12.0-211.28.1.el10_2
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.