Description
In the Linux kernel, the following vulnerability has been resolved:

rxrpc: proc: size address buffers for %pISpc output

The AF_RXRPC procfs helpers format local and remote socket addresses into
fixed 50-byte stack buffers with "%pISpc".

That is too small for the longest current-tree IPv6-with-port form the
formatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a
dotted-quad tail not only for v4mapped addresses, but also for ISATAP
addresses via ipv6_addr_is_isatap().

As a result, a case such as

[ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535

is possible with the current formatter. That is 50 visible characters, so
51 bytes including the trailing NUL, which does not fit in the existing
char[50] buffers used by net/rxrpc/proc.c.

Size the buffers from the formatter's maximum textual form and switch the
call sites to scnprintf().

Changes since v1:
- correct the changelog to cite the actual maximum current-tree case
explicitly
- frame the proof around the ISATAP formatting path instead of the earlier
mapped-v4 example
Published: 2026-04-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Stack-based buffer overflow in Linux kernel AF_RXRPC procfs output
Action: Apply Patch
AI Analysis

Impact

The Linux kernel formats AF_RXRPC socket addresses into a fixed 50‑byte stack buffer using the %pISpc conversion specifier. For certain IPv6–to‑IPv4 mapped or ISATAP addresses, the string representation can be 50 characters long, requiring 51 bytes when the terminating NUL byte is added. Because the buffer is only 50 bytes, the formatting operation overflows the stack, corrupting kernel memory. This defect can cause a kernel crash, random kernel state changes, or other unpredictable behavior, but does not provide direct code execution or clear privilege escalation from the information supplied.

Affected Systems

All kernel releases that include the original AF_RXRPC procfs code with the 50‑byte buffer are vulnerable. The CPE data lists kernel version 4.9 and all 7.0 release candidates up to rc7, so any distribution shipping those kernels without the upstream patch is affected until a fix is applied.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, while the EPSS score of <1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits. Exploitation depends on the kernel formatting an oversized address representation, a condition that is not trivially engineered remotely, so the practical risk is high severity but low exploitation probability.

Generated by OpenCVE AI on April 28, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel update that includes the buffer‑resize patch for AF_RXRPC procfs output (e.g., upgrade to a kernel containing commit 10ebed83f9f...).
  • If an official distribution update is unavailable, rebuild the kernel from source with the upstream commit applied and install the patched kernel image.
  • After installing the patched kernel, restart any services that use AF_RXRPC networking and, if feasible, disable AF_RXRPC usage on systems where it is not required to minimize exposure until the kernel patch is in place.

Generated by OpenCVE AI on April 28, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:4.9:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: rxrpc: proc: size address buffers for %pISpc output The AF_RXRPC procfs helpers format local and remote socket addresses into fixed 50-byte stack buffers with "%pISpc". That is too small for the longest current-tree IPv6-with-port form the formatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a dotted-quad tail not only for v4mapped addresses, but also for ISATAP addresses via ipv6_addr_is_isatap(). As a result, a case such as [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535 is possible with the current formatter. That is 50 visible characters, so 51 bytes including the trailing NUL, which does not fit in the existing char[50] buffers used by net/rxrpc/proc.c. Size the buffers from the formatter's maximum textual form and switch the call sites to scnprintf(). Changes since v1: - correct the changelog to cite the actual maximum current-tree case explicitly - frame the proof around the ISATAP formatting path instead of the earlier mapped-v4 example
Title rxrpc: proc: size address buffers for %pISpc output
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-01T16:13:03.129Z

Reserved: 2026-03-09T15:48:24.124Z

Link: CVE-2026-31630

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-04-24T15:16:42.323

Modified: 2026-06-01T17:16:54.030

Link: CVE-2026-31630

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31630 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:15:26Z

Weaknesses