CRITICAL
rxrpc RXGK Overflow
CVE-2026-46039
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI8.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: rxgk: Fix potential integer overflow in length check Fix potential integer overflow in rxgk_extract_token() when checking the length of the ticket. Rather than rounding up the value to be tested (which might overflow), round down the size of the available data.
02KernelScan AI Analysis
Risk summary
Remote attackers can trigger an integer overflow in RxRPC RXGK token processing by sending UDP packets with crafted ticket length values near UINT32_MAX. The overflow bypasses the length validation, causing an out-of-bounds read from the network buffer (skb). This can leak small amounts of kernel heap data before the unbounded read hits unmapped pages and triggers a kernel panic.
Vulnerability analysis
The vulnerability exists in rxgk_extract_token() where xdr_round_up(ticket_len) evaluates to zero due to 32-bit integer wraparound when ticket_len is in the range 0xFFFFFFFD–0xFFFFFFFF. The falsified length check allows the parser to proceed with a ticket_len far exceeding the actual packet data. Subsequent access to the ticket buffer then reads beyond the sk_buff bounds. The fix replaces the round-up of the untrusted value with a round-down of the trusted buffer size, preventing the bypass. This is remotely reachable via UDP to an RxRPC endpoint without authentication.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.17 | 6.17 | 43222ac484f9 |
| 6.18 | 6.18.27 | 183d37f12d1c |
| 7.0 | 7.0.4 | 6929350080f4 |
| mainline | 7.1-rc1 | — |