CVE-2026-31635
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
24/04/2026
Última modificación:
24/04/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
rxrpc: fix oversized RESPONSE authenticator length check<br />
<br />
rxgk_verify_response() decodes auth_len from the packet and is supposed<br />
to verify that it fits in the remaining bytes. The existing check is<br />
inverted, so oversized RESPONSE authenticators are accepted and passed<br />
to rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an<br />
impossible length and hit BUG_ON(len).<br />
<br />
Decoded from the original latest-net reproduction logs with<br />
scripts/decode_stacktrace.sh:<br />
<br />
RIP: __skb_to_sgvec()<br />
[net/core/skbuff.c:5285 (discriminator 1)]<br />
Call Trace:<br />
skb_to_sgvec() [net/core/skbuff.c:5305]<br />
rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81]<br />
rxgk_verify_response() [net/rxrpc/rxgk.c:1268]<br />
rxrpc_process_connection()<br />
[net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364<br />
net/rxrpc/conn_event.c:386]<br />
process_one_work() [kernel/workqueue.c:3281]<br />
worker_thread()<br />
[kernel/workqueue.c:3353 kernel/workqueue.c:3440]<br />
kthread() [kernel/kthread.c:436]<br />
ret_from_fork() [arch/x86/kernel/process.c:164]<br />
<br />
Reject authenticator lengths that exceed the remaining packet payload.