CRITICAL
rxrpc Token Length Overflow
CVE-2026-31633
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI9.8CRITICAL
01Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix integer overflow in rxgk_verify_response() In rxgk_verify_response(), there's a potential integer overflow due to rounding up token_len before checking it, thereby allowing the length check to be bypassed. Fix this by checking the unrounded value against len too (len is limited as the response must fit in a single UDP packet).
02KernelScan AI Analysis
Risk summary
A remote attacker can send specially crafted rxrpc packets with malicious token length values to cause integer overflow, potentially bypassing security checks and leading to buffer overread. This could result in information disclosure or system instability. The vulnerability affects systems using the rxrpc protocol with GSSAPI authentication.
Vulnerability analysis
Root Cause: In rxgk_verify_response(), the code performs rounding up of token_len using xdr_round_up() before checking if the result exceeds the available buffer length. This creates an integer overflow vulnerability where a large token_len value could wrap around during the rounding operation, bypassing the length validation and potentially leading to buffer overread.
Attack Surface: This vulnerability affects the rxrpc network protocol implementation, specifically the GSSAPI-based rxgk security class. It can be triggered by network packets containing malicious token_len values in rxgk response messages. The attack surface is network-based and requires the ability to send crafted UDP packets to the target system.
Fix Mechanism: The patch adds an additional check to validate the unrounded token_len value against the available length before performing the rounding operation. This ensures that even if the rounded value would overflow, the original value is still validated to be within bounds.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.23 | 1f864d9daaf6 |
| 6.19 | 6.19.13 | c1e242beb6b1 |
| mainline | 7.0 | 699e52180f42 |