HIGH
rxrpc GSSAPI Authenticator Overread
CVE-2026-31631
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
KernelScan AI8.2HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix buffer overread in rxgk_do_verify_authenticator() Fix rxgk_do_verify_authenticator() to check the buffer size before checking the nonce.
02KernelScan AI Analysis
Risk summary
A remote attacker can send specially crafted rxrpc packets with insufficient data to trigger a buffer overread in the kernel's GSSAPI authentication code. This could potentially lead to information disclosure by reading kernel memory beyond the intended buffer, or system instability. The vulnerability affects systems using AFS with GSSAPI authentication.
Vulnerability analysis
Root Cause: The rxgk_do_verify_authenticator() function in the rxrpc GSSAPI security implementation was accessing a 20-byte nonce from the buffer without first verifying that the buffer contained at least 24 bytes of data. This could lead to reading beyond the allocated buffer boundaries when processing malformed or truncated network packets.
Attack Surface: This vulnerability affects the rxrpc network protocol implementation, specifically the GSSAPI-based rxgk security class. It can be triggered by remote attackers sending malformed rxrpc packets over the network to systems running AFS (Andrew File System) services or clients.
Fix Mechanism: The patch adds a buffer size check before accessing the nonce data. It verifies that (end - p) * sizeof(__be32) is at least 24 bytes before proceeding with the memcmp() operation on the 20-byte nonce. If the buffer is too small, it returns an authentication error with the appropriate abort response.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.23 | 794586789800 |
| 6.19 | 6.19.13 | 1c4422d8be81 |
| mainline | 7.0 | f564af387c8c |