CRITICAL Published 2026-04-24

rxrpc Authenticator Parser OOB

CVE-2026-31636

CVSS 9.1 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

KernelScan AI9.1CRITICAL

01Description

In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix RESPONSE authenticator parser OOB read rxgk_verify_authenticator() copies auth_len bytes into a temporary buffer and then passes p + auth_len as the parser limit to rxgk_do_verify_authenticator(). Since p is a __be32 *, that inflates the parser end pointer by a factor of four and lets malformed RESPONSE authenticators read past the kmalloc() buffer. Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh: BUG: KASAN: slab-out-of-bounds in rxgk_verify_response() Call Trace: dump_stack_lvl() [lib/dump_stack.c:123] print_report() [mm/kasan/report.c:379 mm/kasan/report.c:482] kasan_report() [mm/kasan/report.c:597] rxgk_verify_response() [net/rxrpc/rxgk.c:1103 net/rxrpc/rxgk.c:1167 net/rxrpc/rxgk.c:1274] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164] Allocated by task 54: rxgk_verify_response() [include/linux/slab.h:954 net/rxrpc/rxgk.c:1155 net/rxrpc/rxgk.c:1274] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] Convert the byte count to __be32 units before constructing the parser limit.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A critical network-accessible buffer overflow in the Linux kernel's RxRPC rxgk security implementation. Remote attackers can send specially crafted RESPONSE authenticators to cause out-of-bounds memory reads, potentially leading to information disclosure or system crashes. The vulnerability affects systems using GSSAPI authentication with RxRPC.

Affectednet/rxrpc/rxgk.c

Vulnerability analysis

Root Cause: The rxgk_verify_authenticator() function incorrectly calculates buffer bounds when parsing RESPONSE authenticators. It copies auth_len bytes into a temporary buffer but then passes 'p + auth_len' as the parser limit to rxgk_do_verify_authenticator(). Since 'p' is a __be32 pointer, pointer arithmetic inflates the end pointer by a factor of 4, allowing reads beyond the allocated kmalloc() buffer.

Attack Surface: Network-accessible through RxRPC protocol processing. Attackers can send malformed RESPONSE authenticators over the network to trigger out-of-bounds reads. The vulnerability is in the rxgk security class implementation for GSSAPI authentication, so it affects systems using this authentication method.

Fix Mechanism: The patch converts the byte count to __be32 units before constructing the parser limit by dividing auth_len by sizeof(*p), ensuring the end pointer correctly represents the actual buffer boundary in terms of __be32 elements rather than bytes.

03Fix Versions

Branch	Fixed in	Patch commit
6.18	6.18.23	`7875f3d9777b`
6.19	6.19.13	`20a188775a9a`
mainline	7.0	`3e3138007887`