HIGH Published 2026-04-24

rxrpc Challenge Response Logic Error

CVE-2026-31640

CVSS 7.5 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

KernelScan AI7.5HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial In rxrpc_post_response(), the code should be comparing the challenge serial number from the cached response before deciding to switch to a newer response, but looks at the newer packet private data instead, rendering the comparison always false. Fix this by switching to look at the older packet. Fix further[1] to substitute the new packet in place of the old one if newer and also to release whichever we don't use.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A logic error in RxRPC challenge response handling could lead to incorrect packet selection and memory leaks. While not directly exploitable for code execution, it may cause resource exhaustion or authentication bypass in network filesystem operations over time.

Affectednet/rxrpc/conn_event.c

Vulnerability analysis

Summary: The rxrpc_post_response() function contains a logic error where it compares challenge serial numbers using the wrong socket buffer (skb), causing incorrect packet selection and potential resource leaks.

Root Cause: In rxrpc_post_response(), when deciding whether to replace a cached response with a newer one, the code incorrectly uses the new packet's private data (sp) instead of the old packet's private data (osp) for serial number comparison. This makes the comparison 'after(sp->resp.challenge_serial, osp->resp.challenge_serial)' always evaluate against the new packet's own serial, rendering it meaningless.

Attack Surface: This affects the RxRPC protocol implementation used by network filesystems like AFS. The vulnerability is reachable through network packets containing CHALLENGE/RESPONSE authentication exchanges. No special privileges are required as this occurs during normal protocol operation.

Fix Mechanism: The patch fixes two issues: (1) Changes the comparison to use the old packet's private data by correcting 'struct rxrpc_skb_priv *osp = rxrpc_skb(skb)' to 'struct rxrpc_skb_priv *osp = rxrpc_skb(old)', and (2) Adds proper resource cleanup by calling rxrpc_free_skb() on whichever packet is not used, preventing memory leaks.

03Fix Versions

Branch	Fixed in	Patch commit
6.18	6.18.23	`9132b1a7bf83`
6.19	6.19.13	`20386e7f8d97`
mainline	7.0	`b33f5741bb18`