CVE-2026-31641

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: Fix RxGK token loading to check bounds<br /> <br /> rxrpc_preparse_xdr_yfs_rxgk() reads the raw key length and ticket length<br /> from the XDR token as u32 values and passes each through round_up(x, 4)<br /> before using the rounded value for validation and allocation. When the raw<br /> length is &gt;= 0xfffffffd, round_up() wraps to 0, so the bounds check and<br /> kzalloc both use 0 while the subsequent memcpy still copies the original<br /> ~4 GiB value, producing a heap buffer overflow reachable from an<br /> unprivileged add_key() call.<br /> <br /> Fix this by:<br /> <br /> (1) Rejecting raw key lengths above AFSTOKEN_GK_KEY_MAX and raw ticket<br /> lengths above AFSTOKEN_GK_TOKEN_MAX before rounding, consistent with<br /> the caps that the RxKAD path already enforces via AFSTOKEN_RK_TIX_MAX.<br /> <br /> (2) Sizing the flexible-array allocation from the validated raw key<br /> length via struct_size_t() instead of the rounded value.<br /> <br /> (3) Caching the raw lengths so that the later field assignments and<br /> memcpy calls do not re-read from the token, eliminating a class of<br /> TOCTOU re-parse.<br /> <br /> The control path (valid token with lengths within bounds) is unaffected.