CVE-2026-31641
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix RxGK token loading to check bounds
rxrpc_preparse_xdr_yfs_rxgk() reads the raw key length and ticket length from the XDR token as u32 values and passes each through round_up(x, 4) before using the rounded value for validation and allocation. When the raw length is >= 0xfffffffd, round_up() wraps to 0, so the bounds check and kzalloc both use 0 while the subsequent memcpy still copies the original ~4 GiB value, producing a heap buffer overflow reachable from an unprivileged add_key() call.
Fix this by:
(1) Rejecting raw key lengths above AFSTOKEN_GK_KEY_MAX and raw ticket lengths above AFSTOKEN_GK_TOKEN_MAX before rounding, consistent with the caps that the RxKAD path already enforces via AFSTOKEN_RK_TIX_MAX.
(2) Sizing the flexible-array allocation from the validated raw key length via struct_size_t() instead of the rounded value.
(3) Caching the raw lengths so that the later field assignments and memcpy calls do not re-read from the token, eliminating a class of TOCTOU re-parse.
The control path (valid token with lengths within bounds) is unaffected.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 0ca100ff4df64f5d0f6c1dd5080c3e096786bea6 < 3e04596cba8a86cbff9c3f4bf0a524a3a488773c | affected |
| Linux | Linux | 0ca100ff4df64f5d0f6c1dd5080c3e096786bea6 < 49875b360c2b83a3c226e189c502e501d83e6445 | affected |
| Linux | Linux | 0ca100ff4df64f5d0f6c1dd5080c3e096786bea6 < d179a868dd755b0cfcf7582e00943d702b9943b8 | affected |
| Linux | Linux | 6.16 | affected |
| Linux | Linux | 0 < 6.16 | unaffected |
| Linux | Linux | 6.18.23 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.13 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
ADP Enrichment
kernel: rxrpc: Fix RxGK token loading to check bounds
Additional References
- https://access.redhat.com/security/cve/CVE-2026-31641
- https://bugzilla.redhat.com/show_bug.cgi?id=2461548
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31641.json
- https://access.redhat.com/errata/RHSA-2026:27288
References
- https://git.kernel.org/stable/c/3e04596cba8a86cbff9c3f4bf0a524a3a488773c
- https://git.kernel.org/stable/c/49875b360c2b83a3c226e189c502e501d83e6445
- https://git.kernel.org/stable/c/d179a868dd755b0cfcf7582e00943d702b9943b8
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.