CVE-2026-31635

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: fix oversized RESPONSE authenticator length check<br /> <br /> rxgk_verify_response() decodes auth_len from the packet and is supposed<br /> to verify that it fits in the remaining bytes. The existing check is<br /> inverted, so oversized RESPONSE authenticators are accepted and passed<br /> to rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an<br /> impossible length and hit BUG_ON(len).<br /> <br /> Decoded from the original latest-net reproduction logs with<br /> scripts/decode_stacktrace.sh:<br /> <br /> RIP: __skb_to_sgvec()<br /> [net/core/skbuff.c:5285 (discriminator 1)]<br /> Call Trace:<br /> skb_to_sgvec() [net/core/skbuff.c:5305]<br /> rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81]<br /> rxgk_verify_response() [net/rxrpc/rxgk.c:1268]<br /> rxrpc_process_connection()<br /> [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364<br /> net/rxrpc/conn_event.c:386]<br /> process_one_work() [kernel/workqueue.c:3281]<br /> worker_thread()<br /> [kernel/workqueue.c:3353 kernel/workqueue.c:3440]<br /> kthread() [kernel/kthread.c:436]<br /> ret_from_fork() [arch/x86/kernel/process.c:164]<br /> <br /> Reject authenticator lengths that exceed the remaining packet payload.