CVE-2026-31633 Overview
CVE-2026-31633 is an integer overflow vulnerability in the Linux kernel's rxrpc subsystem, specifically within the rxgk_verify_response() function. The flaw occurs because token_len is rounded up before being validated, which lets an attacker bypass the length check. The vulnerability affects Linux kernel version 6.16 and the 7.0 release candidates (rc1 through rc7). Tracked under [CWE-190] (Integer Overflow or Wraparound), the issue is exploitable remotely over the network without authentication or user interaction.
Critical Impact
A remote, unauthenticated attacker can trigger an integer overflow in the kernel's RxGK authentication response handling, potentially leading to memory corruption with high impact to confidentiality, integrity, and availability.
Affected Products
- Linux kernel 6.16
- Linux kernel 7.0-rc1 through 7.0-rc7
- Distributions shipping the rxrpc module with RxGK support enabled
Discovery Timeline
- 2026-04-24 - CVE-2026-31633 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-31633
Vulnerability Analysis
The vulnerability resides in rxgk_verify_response(), a function in the rxrpc (AF_RXRPC) networking subsystem that validates RxGK authentication responses. RxGK is the GSS-API-based security class used by AFS-style RPC over UDP. During response verification, the code computes token_len and rounds it up to satisfy alignment requirements before comparing it against the available response length. Rounding up an attacker-supplied value before bounds checking allows a crafted value near UINT_MAX to wrap to a small number that passes validation.
Once the check is bypassed, the kernel proceeds to parse a token whose true size exceeds the actual UDP packet contents. This yields out-of-bounds memory access during decode, with potential for kernel memory corruption or information disclosure.
Root Cause
The root cause is an ordering error between sanitization and validation. The unrounded token_len value must also be compared against len, the length of the containing response which is bounded by a single UDP datagram. The upstream fix introduces this additional check so that a value that would overflow on rounding is rejected before any arithmetic is performed.
Attack Vector
An attacker sends a crafted RxRPC response packet to a target host that has the rxrpc module loaded and accepts RxGK-secured connections. No authentication or user interaction is required, and the attack is performed over the network. Because the bug sits in kernel-mode packet processing, successful exploitation operates at ring 0.
No public proof-of-concept code is available. The vulnerability is described in prose form in the upstream commits; see the kernel.org references for the patches.
Detection Methods for CVE-2026-31633
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing rxgk_verify_response or rxrpc in dmesg and /var/log/kern.log.
- Unsolicited inbound UDP traffic on port 7001 (the AFS/RxRPC port) to hosts that do not normally expose RxRPC services.
- Abnormal crashes or restarts of services that link against libafs or kafs on affected kernels.
Detection Strategies
- Inventory running kernels and flag any system on 6.16 or 7.0-rc1 through 7.0-rc7 that does not include the fix commits 1f864d9d, 699e5218, or c1e242be.
- Monitor for kernel taint flags and stack traces in the rxrpc call path captured by host telemetry agents.
- Correlate inbound UDP/7001 traffic with subsequent kernel-level instability across the fleet.
Monitoring Recommendations
- Forward kernel logs to a centralized SIEM or data lake and alert on BUG:, KASAN:, or general protection fault entries that include rxrpc symbols.
- Track loaded kernel modules and alert when rxrpc is present on hosts where AFS is not required.
- Watch network flow records for sources sending malformed or oversized RxRPC response packets.
How to Mitigate CVE-2026-31633
Immediate Actions Required
- Apply the upstream kernel patches referenced by commits 1f864d9daaf622aeaa774404fd51e7d6a435b046, 699e52180f4231c257821c037ed5c99d5eb0edb8, and c1e242beb6b1efc3c286f617e8d940c8fbf2ed41.
- Reboot affected systems after patching to load the fixed kernel image.
- Restrict inbound UDP traffic to the AFS/RxRPC port (7001) at the network perimeter and host firewall.
Patch Information
The fix adds a check of the unrounded token_len against len so a value that overflows on rounding is rejected before bypassing validation. Patches are available in the stable kernel tree:
Workarounds
- Blacklist the rxrpc kernel module on hosts that do not require AFS connectivity using modprobe.d configuration.
- Block UDP traffic to port 7001 from untrusted sources at network and host firewalls.
- Limit RxRPC peers to known AFS cells via configuration where the service must remain enabled.
# Configuration example: prevent the rxrpc module from loading
echo 'blacklist rxrpc' | sudo tee /etc/modprobe.d/disable-rxrpc.conf
echo 'install rxrpc /bin/true' | sudo tee -a /etc/modprobe.d/disable-rxrpc.conf
sudo update-initramfs -u
# Host firewall: block inbound RxRPC/AFS traffic
sudo iptables -A INPUT -p udp --dport 7001 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
