CVE-2026-31636

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: fix RESPONSE authenticator parser OOB read<br /> <br /> rxgk_verify_authenticator() copies auth_len bytes into a temporary<br /> buffer and then passes p + auth_len as the parser limit to<br /> rxgk_do_verify_authenticator(). Since p is a __be32 *, that inflates the<br /> parser end pointer by a factor of four and lets malformed RESPONSE<br /> authenticators read past the kmalloc() buffer.<br /> <br /> Decoded from the original latest-net reproduction logs with<br /> scripts/decode_stacktrace.sh:<br /> <br /> BUG: KASAN: slab-out-of-bounds in rxgk_verify_response()<br /> Call Trace:<br /> dump_stack_lvl() [lib/dump_stack.c:123]<br /> print_report() [mm/kasan/report.c:379 mm/kasan/report.c:482]<br /> kasan_report() [mm/kasan/report.c:597]<br /> rxgk_verify_response()<br /> [net/rxrpc/rxgk.c:1103 net/rxrpc/rxgk.c:1167<br /> net/rxrpc/rxgk.c:1274]<br /> rxrpc_process_connection()<br /> [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364<br /> net/rxrpc/conn_event.c:386]<br /> process_one_work() [kernel/workqueue.c:3281]<br /> worker_thread()<br /> [kernel/workqueue.c:3353 kernel/workqueue.c:3440]<br /> kthread() [kernel/kthread.c:436]<br /> ret_from_fork() [arch/x86/kernel/process.c:164]<br /> <br /> Allocated by task 54:<br /> rxgk_verify_response()<br /> [include/linux/slab.h:954 net/rxrpc/rxgk.c:1155<br /> net/rxrpc/rxgk.c:1274]<br /> rxrpc_process_connection()<br /> [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364<br /> net/rxrpc/conn_event.c:386]<br /> <br /> Convert the byte count to __be32 units before constructing the parser<br /> limit.