CVE-2026-31630 Overview
A buffer overflow vulnerability has been discovered in the Linux kernel's AF_RXRPC procfs helpers. The vulnerability exists in the net/rxrpc/proc.c file where local and remote socket addresses are formatted into fixed 50-byte stack buffers using the %pISpc format specifier. This buffer size is insufficient to accommodate the longest possible IPv6-with-port address format that the formatter can produce.
The issue arises because the compressed IPv6 path in lib/vsprintf.c uses a dotted-quad tail not only for v4mapped addresses but also for ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) addresses via ipv6_addr_is_isatap(). This means addresses such as [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535 can be generated, which requires 51 bytes including the trailing NUL character—exceeding the existing 50-byte buffer allocation.
Critical Impact
Local attackers with low privileges can potentially trigger stack buffer overflow conditions in the kernel's RxRPC subsystem, leading to memory corruption with high confidentiality, integrity, and availability impact.
Affected Products
- Linux Kernel versions prior to the security patch
- Linux Kernel 4.9 and related versions
- Linux Kernel 7.0 release candidates (rc1 through rc7)
Discovery Timeline
- 2026-04-24 - CVE-2026-31630 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-31630
Vulnerability Analysis
This vulnerability is classified as a stack buffer overflow, a type of memory corruption vulnerability. The flaw exists in the kernel's RxRPC (Remote Procedure Call) protocol implementation, specifically within the procfs interface that exposes connection information to userspace.
The %pISpc format specifier is used to print socket addresses in a human-readable format with port numbers. When handling ISATAP addresses—a deprecated tunneling mechanism for transporting IPv6 packets over IPv4 networks—the kernel's vsprintf.c implementation produces output that exceeds the allocated buffer space.
The vulnerability requires local access to exploit, meaning an attacker must already have some level of access to the system. However, only low privileges are required to trigger the condition, and no user interaction is necessary. Successful exploitation could allow an attacker to corrupt adjacent stack memory, potentially leading to privilege escalation or system instability.
Root Cause
The root cause is an undersized stack buffer allocation in net/rxrpc/proc.c. The developers allocated 50-byte character buffers (char[50]) for formatting socket addresses, without accounting for the maximum possible output length of the %pISpc format specifier.
The ISATAP address format path in the kernel's vsprintf implementation can produce addresses like [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535, which consists of 50 visible characters plus a trailing NUL terminator, requiring 51 bytes total. This off-by-one error in buffer sizing creates a classic stack buffer overflow condition.
Attack Vector
The attack vector is local, requiring the attacker to have existing access to the target system. Exploitation involves triggering the RxRPC procfs helpers to format specially crafted ISATAP addresses that exceed the buffer capacity.
The vulnerability can be triggered when reading RxRPC connection information through the /proc filesystem interface. An attacker could potentially craft network conditions or manipulate RxRPC connections to cause the kernel to format an ISATAP address that overflows the stack buffer.
The fix involves properly sizing the buffers based on the formatter's maximum textual output and switching the call sites to use scnprintf(), which provides bounds-checked string formatting.
Detection Methods for CVE-2026-31630
Indicators of Compromise
- Unexpected kernel panics or crashes related to the RxRPC subsystem
- Stack corruption errors in kernel logs referencing net/rxrpc/proc.c
- Anomalous access patterns to RxRPC-related procfs entries
- Memory corruption warnings in kernel ring buffer (dmesg)
Detection Strategies
- Monitor kernel logs for stack buffer overflow warnings or KASAN reports related to RxRPC
- Implement runtime kernel integrity checking to detect memory corruption
- Use kernel address sanitizer (KASAN) on development/testing systems to identify exploitation attempts
- Audit access to /proc/net/rxrpc* files for unusual patterns
Monitoring Recommendations
- Enable kernel auditing for procfs access related to network subsystems
- Deploy endpoint detection solutions capable of monitoring kernel-level anomalies
- Implement centralized logging for kernel messages across affected systems
- Monitor for privilege escalation attempts following RxRPC activity
How to Mitigate CVE-2026-31630
Immediate Actions Required
- Apply the official kernel patches from the Linux kernel stable tree immediately
- Prioritize patching systems where untrusted users have local access
- If patching is not immediately possible, consider restricting access to RxRPC procfs entries
- Review system logs for any signs of prior exploitation attempts
Patch Information
The Linux kernel maintainers have released patches that properly size the address buffers and switch to using scnprintf() for bounds-checked string formatting. The patches are available through the kernel stable tree:
- Kernel Git Commit 10ebed83f9f6414af4e85bc85ffaeda7effdd874
- Kernel Git Commit a44ce6aa2efb61fe44f2cfab72bb01544bbca272
- Kernel Git Commit db297c78ce537c9ac96f0eda9b25ad72c8caefa9
Organizations should update to a patched kernel version through their distribution's package management system or by compiling from source with the security commits applied.
Workarounds
- Restrict local user access to systems running vulnerable kernel versions
- Disable the RxRPC module if not required: modprobe -r rxrpc and blacklist via /etc/modprobe.d/
- Implement mandatory access control (SELinux/AppArmor) policies to restrict procfs access
- Limit network access to reduce the likelihood of triggering the vulnerable code path
# Disable RxRPC module if not needed
echo "blacklist rxrpc" >> /etc/modprobe.d/blacklist-rxrpc.conf
modprobe -r rxrpc
# Verify module is unloaded
lsmod | grep rxrpc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
