Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-46039

Description

In the Linux kernel, the following vulnerability has been resolved:

rxgk: Fix potential integer overflow in length check

Fix potential integer overflow in rxgk_extract_token() when checking the length of the ticket. Rather than rounding up the value to be tested (which might overflow), round down the size of the available data.

Affected products

Ubuntu/Linux Kernelllm-fuzzy

Patches

6929350080f4

rxgk: Fix potential integer overflow in length check

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitDavid HowellsApr 22, 2026Fixed in 7.1-rc1via kernel-cna

commit

2 files changed · +2 −2

net/rxrpc/rxgk_app.c+1 −1 modified

diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
index 30275cb5ba3e25..5587639d60c538 100644
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -214,7 +214,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 	ticket_len	= ntohl(container.token_len);
 	ticket_offset	= token_offset + sizeof(container);
 
-	if (xdr_round_up(ticket_len) > token_len - sizeof(container))
+	if (ticket_len > xdr_round_down(token_len - sizeof(container)))
 		goto short_packet;
 
 	_debug("KVNO %u", kvno);

net/rxrpc/rxgk_common.h+1 −1 modified

diff --git a/net/rxrpc/rxgk_common.h b/net/rxrpc/rxgk_common.h
index 80164d89e19c03..1e257d7ab8ec1b 100644
--- a/net/rxrpc/rxgk_common.h
+++ b/net/rxrpc/rxgk_common.h
@@ -34,6 +34,7 @@ struct rxgk_context {
 };
 
 #define xdr_round_up(x) (round_up((x), sizeof(__be32)))
+#define xdr_round_down(x) (round_down((x), sizeof(__be32)))
 #define xdr_object_len(x) (4 + xdr_round_up(x))
 
 /*
-- 
cgit 1.3-korg

43222ac484f9

rxgk: Fix potential integer overflow in length check

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitDavid HowellsApr 22, 2026Fixed in 6.18.27via kernel-cna

commit

2 files changed · +2 −2

net/rxrpc/rxgk_app.c+1 −1 modified

diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
index 30b6701a986702..0ef2a29eb69581 100644
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -214,7 +214,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 	ticket_len	= ntohl(container.token_len);
 	ticket_offset	= token_offset + sizeof(container);
 
-	if (xdr_round_up(ticket_len) > token_len - sizeof(container))
+	if (ticket_len > xdr_round_down(token_len - sizeof(container)))
 		goto short_packet;
 
 	_debug("KVNO %u", kvno);

net/rxrpc/rxgk_common.h+1 −1 modified

diff --git a/net/rxrpc/rxgk_common.h b/net/rxrpc/rxgk_common.h
index 80164d89e19c03..1e257d7ab8ec1b 100644
--- a/net/rxrpc/rxgk_common.h
+++ b/net/rxrpc/rxgk_common.h
@@ -34,6 +34,7 @@ struct rxgk_context {
 };
 
 #define xdr_round_up(x) (round_up((x), sizeof(__be32)))
+#define xdr_round_down(x) (round_down((x), sizeof(__be32)))
 #define xdr_object_len(x) (4 + xdr_round_up(x))
 
 /*
-- 
cgit 1.3-korg

183d37f12d1c

rxgk: Fix potential integer overflow in length check

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitDavid HowellsApr 22, 2026Fixed in 7.0.4via kernel-cna

commit

2 files changed · +2 −2

net/rxrpc/rxgk_app.c+1 −1 modified

diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
index 30b6701a986702..0ef2a29eb69581 100644
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -214,7 +214,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 	ticket_len	= ntohl(container.token_len);
 	ticket_offset	= token_offset + sizeof(container);
 
-	if (xdr_round_up(ticket_len) > token_len - sizeof(container))
+	if (ticket_len > xdr_round_down(token_len - sizeof(container)))
 		goto short_packet;
 
 	_debug("KVNO %u", kvno);

net/rxrpc/rxgk_common.h+1 −1 modified

diff --git a/net/rxrpc/rxgk_common.h b/net/rxrpc/rxgk_common.h
index 80164d89e19c03..1e257d7ab8ec1b 100644
--- a/net/rxrpc/rxgk_common.h
+++ b/net/rxrpc/rxgk_common.h
@@ -34,6 +34,7 @@ struct rxgk_context {
 };
 
 #define xdr_round_up(x) (round_up((x), sizeof(__be32)))
+#define xdr_round_down(x) (round_down((x), sizeof(__be32)))
 #define xdr_object_len(x) (4 + xdr_round_up(x))
 
 /*
-- 
cgit 1.3-korg

183d37f12d1c

rxgk: Fix potential integer overflow in length check

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitDavid HowellsApr 22, 2026via nvd-ref

commit

2 files changed · +2 −2

net/rxrpc/rxgk_app.c+1 −1 modified

diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
index 30b6701a986702..0ef2a29eb69581 100644
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -214,7 +214,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 	ticket_len	= ntohl(container.token_len);
 	ticket_offset	= token_offset + sizeof(container);
 
-	if (xdr_round_up(ticket_len) > token_len - sizeof(container))
+	if (ticket_len > xdr_round_down(token_len - sizeof(container)))
 		goto short_packet;
 
 	_debug("KVNO %u", kvno);

net/rxrpc/rxgk_common.h+1 −1 modified

diff --git a/net/rxrpc/rxgk_common.h b/net/rxrpc/rxgk_common.h
index 80164d89e19c03..1e257d7ab8ec1b 100644
--- a/net/rxrpc/rxgk_common.h
+++ b/net/rxrpc/rxgk_common.h
@@ -34,6 +34,7 @@ struct rxgk_context {
 };
 
 #define xdr_round_up(x) (round_up((x), sizeof(__be32)))
+#define xdr_round_down(x) (round_down((x), sizeof(__be32)))
 #define xdr_object_len(x) (4 + xdr_round_up(x))
 
 /*
-- 
cgit 1.3-korg

43222ac484f9

rxgk: Fix potential integer overflow in length check

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitDavid HowellsApr 22, 2026via nvd-ref

commit

2 files changed · +2 −2

net/rxrpc/rxgk_app.c+1 −1 modified

diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
index 30b6701a986702..0ef2a29eb69581 100644
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -214,7 +214,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 	ticket_len	= ntohl(container.token_len);
 	ticket_offset	= token_offset + sizeof(container);
 
-	if (xdr_round_up(ticket_len) > token_len - sizeof(container))
+	if (ticket_len > xdr_round_down(token_len - sizeof(container)))
 		goto short_packet;
 
 	_debug("KVNO %u", kvno);

net/rxrpc/rxgk_common.h+1 −1 modified

diff --git a/net/rxrpc/rxgk_common.h b/net/rxrpc/rxgk_common.h
index 80164d89e19c03..1e257d7ab8ec1b 100644
--- a/net/rxrpc/rxgk_common.h
+++ b/net/rxrpc/rxgk_common.h
@@ -34,6 +34,7 @@ struct rxgk_context {
 };
 
 #define xdr_round_up(x) (round_up((x), sizeof(__be32)))
+#define xdr_round_down(x) (round_down((x), sizeof(__be32)))
 #define xdr_object_len(x) (4 + xdr_round_up(x))
 
 /*
-- 
cgit 1.3-korg

6929350080f4

rxgk: Fix potential integer overflow in length check

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitDavid HowellsApr 22, 2026via nvd-ref

commit

2 files changed · +2 −2

net/rxrpc/rxgk_app.c+1 −1 modified

diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c
index 30275cb5ba3e25..5587639d60c538 100644
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -214,7 +214,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
 	ticket_len	= ntohl(container.token_len);
 	ticket_offset	= token_offset + sizeof(container);
 
-	if (xdr_round_up(ticket_len) > token_len - sizeof(container))
+	if (ticket_len > xdr_round_down(token_len - sizeof(container)))
 		goto short_packet;
 
 	_debug("KVNO %u", kvno);

net/rxrpc/rxgk_common.h+1 −1 modified

diff --git a/net/rxrpc/rxgk_common.h b/net/rxrpc/rxgk_common.h
index 80164d89e19c03..1e257d7ab8ec1b 100644
--- a/net/rxrpc/rxgk_common.h
+++ b/net/rxrpc/rxgk_common.h
@@ -34,6 +34,7 @@ struct rxgk_context {
 };
 
 #define xdr_round_up(x) (round_up((x), sizeof(__be32)))
+#define xdr_round_down(x) (round_down((x), sizeof(__be32)))
 #define xdr_object_len(x) (4 + xdr_round_up(x))
 
 /*
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Integer overflow in rxgk_extract_token() when xdr_round_up(ticket_len) wraps around, bypassing the length check against token_len."

Attack vector

An attacker sends a crafted RxRPC packet containing a token with a large ticket_len value. The original check computes xdr_round_up(ticket_len) which can overflow a 32-bit unsigned integer, causing the comparison to pass even when the actual ticket data exceeds the available buffer [patch_id=2660221]. This can lead to an out-of-bounds read in the kernel's RxGK token extraction path.

Affected code

The vulnerable code is in net/rxrpc/rxgk_app.c in the function rxgk_extract_token(), at the length check on line 214. The helper macro xdr_round_up() in net/rxrpc/rxgk_common.h is used in the vulnerable expression.

What the fix does

The patch reverses the direction of the comparison: instead of rounding up the attacker-controlled ticket_len (which can overflow), it rounds down the available space token_len - sizeof(container) using a new xdr_round_down() macro [patch_id=2660221]. This ensures the comparison is always safe from integer overflow because the rounded-down value is never larger than the actual available data.

Preconditions

networkThe attacker must be able to send a crafted RxRPC packet to the target system.
configThe target must have the rxgk (RxGK) authentication mechanism enabled for RxRPC connections.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000