CVE-2026-31641 - Vulnerability Details

- rxrpc: Fix RxGK token loading to check bounds

Description

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix RxGK token loading to check bounds

rxrpc_preparse_xdr_yfs_rxgk() reads the raw key length and ticket length
from the XDR token as u32 values and passes each through round_up(x, 4)
before using the rounded value for validation and allocation. When the raw
length is >= 0xfffffffd, round_up() wraps to 0, so the bounds check and
kzalloc both use 0 while the subsequent memcpy still copies the original
~4 GiB value, producing a heap buffer overflow reachable from an
unprivileged add_key() call.

Fix this by:

(1) Rejecting raw key lengths above AFSTOKEN_GK_KEY_MAX and raw ticket
lengths above AFSTOKEN_GK_TOKEN_MAX before rounding, consistent with
the caps that the RxKAD path already enforces via AFSTOKEN_RK_TIX_MAX.

(2) Sizing the flexible-array allocation from the validated raw key
length via struct_size_t() instead of the rounded value.

(3) Caching the raw lengths so that the later field assignments and
memcpy calls do not re-read from the token, eliminating a class of
TOCTOU re-parse.

The control path (valid token with lengths within bounds) is unaffected.

Published: 2026-04-24

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw lies in the Linux kernel's handling of RxGK token data during the add_key() system call. Raw key and ticket lengths are read as 32‑bit values and rounded up before allocation. If a length reaches or exceeds 0xFFFFFFFD, the rounding function wraps to zero, causing the kernel to allocate a zero‑byte buffer yet subsequently copy almost 4 GiB of data into it. This overflow can corrupt the heap, leading to undefined behavior and enabling an unprivileged user to trigger local privilege escalation by corrupting kernel memory. The vulnerability is a classic heap buffer overflow (CWE‑125) coupled with a signed integer wraparound (CWE‑190).

Affected Systems

Linux kernel versions 6.16 and all 7.0 release candidates from rc1 through rc7 are impacted until the flaw is patched. Any system running these kernels and allowing the add_key() operation is vulnerable.

Risk and Exploitability

The CVSS score of 7.8 rates the flaw as high severity, while the EPSS score of less than 1% indicates a low probability of current exploitation. It is not listed in the CISA KEV catalog, suggesting no widespread active exploitation yet. The flaw can be triggered from user space via the unprivileged add_key() call, requiring no elevated privileges. Attackers would need to supply a crafted RxGK token to an enabled RxRPC component. Successful exploitation could lead to full local privilege escalation if memory corruption is leveraged effectively. Overall, the risk is significant for systems that regularly process RxGK tokens or expose add_key() to untrusted users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0ca100ff4df64f5d0f6c1dd5080c3e096786bea6`	affected	< 3e04596cba8a86cbff9c3f4bf0a524a3a488773c
`0ca100ff4df64f5d0f6c1dd5080c3e096786bea6`	affected	< 49875b360c2b83a3c226e189c502e501d83e6445
`0ca100ff4df64f5d0f6c1dd5080c3e096786bea6`	affected	< d179a868dd755b0cfcf7582e00943d702b9943b8

Linux

affected

Version	Status	Constraints
`6.16`	affected	—
`0`	unaffected	< 6.16
`6.18.23`	unaffected	≤ 6.18.*
`6.19.13`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.16:-::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0ca100ff4df64f5d0f6c1dd5080c3e096786bea6,3e04596cba8a86cbff9c3f4bf0a524a3a488773c)`	affected	code_commit	—
`[0ca100ff4df64f5d0f6c1dd5080c3e096786bea6,49875b360c2b83a3c226e189c502e501d83e6445)`	affected	code_commit	—
`[0ca100ff4df64f5d0f6c1dd5080c3e096786bea6,d179a868dd755b0cfcf7582e00943d702b9943b8)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.16`	affected	generic	—
`[0,6.16)`	unaffected	generic	—
`[6.18.23,7.0.0)`	unaffected	semver	—
`[6.19.13,7.0.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that includes the backported fix for CVE‑2026‑31641, referencing commit c3e04596cba8a86cbff9c3f4bf0a524a3a488773c and subsequent related commits.
If immediate kernel upgrade is not possible, restrict the use of the add_key() system call by SELinux, AppArmor, or other Linux security modules to prevent untrusted applications from creating keys.
Disable or mitigate RxRPC usage on the affected systems by configuring network services to avoid loading the RxRPC module or by applying custom kernel parameters that drop the problematic code paths.

Generated by OpenCVE AI on April 28, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3e04596cba8a86cbff9c3f4bf0a524a3a488773c
https://git.kernel.org/stable/c/49875b360c2b83a3c226e189c502e501d83e6445
https://git.kernel.org/stable/c/d179a868dd755b0cfcf7582e00943d702b9943b8
https://lore.kernel.org/linux-cve-announce/2026042457-CVE-2026-31641-2dee@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31641
https://www.cve.org/CVERecord?id=CVE-2026-31641

History

Mon, 27 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125
CPEs		cpe:2.3:o:linux:linux_kernel:6.16:-:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

Mon, 27 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-190
References		https://lore.kernel.org/linux-cve-announce/2026042457-CVE-2026-31641-2dee@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31641 https://www.cve.org/CVERecord?id=CVE-2026-31641
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix RxGK token loading to check bounds rxrpc_preparse_xdr_yfs_rxgk() reads the raw key length and ticket length from the XDR token as u32 values and passes each through round_up(x, 4) before using the rounded value for validation and allocation. When the raw length is >= 0xfffffffd, round_up() wraps to 0, so the bounds check and kzalloc both use 0 while the subsequent memcpy still copies the original ~4 GiB value, producing a heap buffer overflow reachable from an unprivileged add_key() call. Fix this by: (1) Rejecting raw key lengths above AFSTOKEN_GK_KEY_MAX and raw ticket lengths above AFSTOKEN_GK_TOKEN_MAX before rounding, consistent with the caps that the RxKAD path already enforces via AFSTOKEN_RK_TIX_MAX. (2) Sizing the flexible-array allocation from the validated raw key length via struct_size_t() instead of the rounded value. (3) Caching the raw lengths so that the later field assignments and memcpy calls do not re-read from the token, eliminating a class of TOCTOU re-parse. The control path (valid token with lengths within bounds) is unaffected.
Title		rxrpc: Fix RxGK token loading to check bounds
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3e04596cba8a86cbff9c3f4bf0a524a3a488773c https://git.kernel.org/stable/c/49875b360c2b83a3c226e189c502e501d83e6445 https://git.kernel.org/stable/c/d179a868dd755b0cfcf7582e00943d702b9943b8

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:44:56.204Z

Updated: 2026-05-11T22:12:44.593Z

Reserved: 2026-03-09T15:48:24.126Z

Link: CVE-2026-31641

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:43.463

Modified: 2026-04-27T20:20:11.543

Link: CVE-2026-31641

Redhat

Severity : Important

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31641 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T20:15:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object