Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-31632

CVE-2026-31632: Linux Kernel Information Disclosure Flaw

CVE-2026-31632 is an information disclosure vulnerability in the Linux Kernel caused by a leak of rxgk context in rxgk_verify_response(). This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-31632 Overview

CVE-2026-31632 is a memory leak vulnerability in the Linux kernel's rxrpc subsystem. Specifically, the rxgk_verify_response() function fails to properly clean up the rxgk context it creates, leading to memory resource exhaustion over time. This vulnerability affects the RxRPC protocol implementation used for secure network communications, particularly in AFS (Andrew File System) environments.

Critical Impact

Local attackers with low privileges can exploit this memory leak to cause denial of service conditions by exhausting system memory resources through repeated triggering of the vulnerable code path.

Affected Products

  • Linux Kernel versions 6.15.x through 6.16
  • Linux Kernel 7.0 Release Candidates (rc1 through rc7)
  • Linux Kernel systems using rxrpc/rxgk authentication

Discovery Timeline

  • 2026-04-24 - CVE-2026-31632 published to NVD
  • 2026-04-27 - Last updated in NVD database

Technical Details for CVE-2026-31632

Vulnerability Analysis

This vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime). The rxgk_verify_response() function in the Linux kernel's rxrpc subsystem creates an rxgk security context during the authentication response verification process. However, under certain error conditions or normal execution paths, this context is not properly freed before the function returns.

The rxgk (RxRPC GSS-API) security mechanism is used to provide authenticated and encrypted communications for services like AFS. When the verification function allocates memory for the context structure but fails to release it, this memory becomes unreachable and cannot be reclaimed by the system.

Root Cause

The root cause is a missing cleanup routine in the rxgk_verify_response() function. When the function creates an rxgk context to verify an incoming authentication response, it allocates kernel memory. If the verification process encounters an error or completes without properly deallocating this context, the memory remains allocated indefinitely. This represents a classic resource leak pattern where memory allocation is not paired with corresponding deallocation in all code paths.

Attack Vector

The vulnerability requires local access to the system with low privileges. An attacker can exploit this by repeatedly triggering the rxgk verification process, causing incremental memory consumption that eventually leads to system instability or denial of service.

The attack does not require user interaction and does not affect the confidentiality or integrity of the system—the impact is limited to availability. A local user or process that can initiate rxrpc connections could systematically trigger the memory leak by forcing authentication verification attempts, gradually depleting available kernel memory.

Detection Methods for CVE-2026-31632

Indicators of Compromise

  • Gradual increase in kernel memory usage without corresponding process activity
  • System logs showing memory allocation failures or out-of-memory conditions
  • Degraded system performance correlating with rxrpc/AFS authentication activity
  • Elevated MemFree depletion in /proc/meminfo over extended periods

Detection Strategies

  • Monitor kernel slab allocator statistics for growing unreclaimable memory allocations
  • Implement memory usage trending alerts for systems running AFS or rxrpc-dependent services
  • Use kernel debugging tools like kmemleak to identify memory leaks in the rxgk subsystem
  • Review system logs for rxrpc-related error messages or authentication failures

Monitoring Recommendations

  • Configure alerting thresholds for abnormal kernel memory growth patterns
  • Deploy continuous monitoring of systems using rxrpc authentication mechanisms
  • Implement baseline memory usage metrics to detect gradual resource exhaustion
  • Schedule periodic system reboots as a temporary mitigation for systems awaiting patches

How to Mitigate CVE-2026-31632

Immediate Actions Required

  • Apply the official kernel patches from the Linux kernel stable tree immediately
  • Prioritize patching systems that rely heavily on AFS or rxrpc communications
  • Consider temporarily disabling rxgk authentication if not critical to operations
  • Monitor affected systems for memory exhaustion symptoms until patches are applied

Patch Information

The Linux kernel maintainers have released patches to address this vulnerability. The fix ensures proper cleanup of the rxgk context in all code paths within rxgk_verify_response().

Available patches:

Workarounds

  • Implement scheduled system reboots to reclaim leaked memory on critical systems
  • Limit access to rxrpc services to trusted users and networks only
  • Monitor and alert on memory consumption thresholds to detect exploitation attempts
  • Consider disabling the rxgk security mechanism if alternative authentication methods are available
bash
# Check current kernel version for vulnerability status
uname -r

# Monitor kernel memory usage for leak detection
watch -n 60 'cat /proc/meminfo | grep -E "MemFree|Slab|SUnreclaim"'

# Check if rxrpc module is loaded
lsmod | grep rxrpc

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne