CVE-2026-31635 Overview
CVE-2026-31635 is a Linux kernel vulnerability in the rxrpc subsystem affecting the rxgk (RxRPC GSSAPI Kerberos) authentication path. The function rxgk_verify_response() contains an inverted length check that fails to reject oversized RESPONSE authenticators. Crafted packets propagate through rxgk_decrypt_skb() to skb_to_sgvec(), where an impossible length triggers a BUG_ON(len) kernel assertion. The flaw enables a remote, unauthenticated attacker to crash affected systems over the network.
Critical Impact
Remote, unauthenticated attackers can trigger a kernel BUG_ON via crafted rxrpc RESPONSE packets, causing denial of service on Linux hosts running affected kernel builds.
Affected Products
- Linux kernel 6.16 (release)
- Linux kernel 7.0 release candidates rc1 through rc7
- Linux kernel builds incorporating the rxrpc rxgk authentication path prior to the upstream fix
Discovery Timeline
- 2026-04-24 - CVE-2026-31635 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-31635
Vulnerability Analysis
The vulnerability resides in rxgk_verify_response() within net/rxrpc/rxgk.c. The function decodes auth_len from an incoming RESPONSE packet and is expected to confirm the declared length fits within the remaining packet payload. The comparison operator is inverted, so values exceeding the available bytes pass validation instead of being rejected.
Once accepted, the oversized authenticator reaches rxgk_decrypt_skb() in net/rxrpc/rxgk_common.h. That path invokes skb_to_sgvec() in net/core/skbuff.c, which walks the socket buffer to build a scatter-gather vector. When the requested length exceeds the actual buffer, __skb_to_sgvec() hits BUG_ON(len) at line 5285 and panics the kernel.
The call chain documented in the upstream commit traces from ret_from_fork() through kthread(), worker_thread(), process_one_work(), rxrpc_process_connection(), and into the rxgk handlers. Processing occurs in a workqueue context, so the crash takes down kernel worker threads handling rxrpc connection events.
Root Cause
The root cause is an inverted bounds check on auth_len during RESPONSE packet decoding. The condition that should reject lengths greater than the remaining payload instead accepts them. This is an input validation failure [NVD-CWE-noinfo] that violates the invariant required by downstream skb_to_sgvec() consumers.
Attack Vector
An unauthenticated remote attacker sends a crafted rxrpc RESPONSE packet to a target listening on the rxrpc protocol with rxgk security enabled. The packet declares an authenticator length larger than the remaining payload. Kernel processing in rxrpc_process_connection() reaches the faulty check, accepts the oversized value, and the subsequent decrypt path triggers the BUG_ON. Network-reachable services that use AFS or other rxrpc-based protocols with rxgk are exposed.
No public proof-of-concept exploit code is currently available for this issue. Refer to the upstream kernel fix commit for the corrected boundary check.
Detection Methods for CVE-2026-31635
Indicators of Compromise
- Kernel panic logs referencing BUG_ON at __skb_to_sgvec() in net/core/skbuff.c:5285
- Stack traces containing rxgk_verify_response, rxgk_decrypt_skb, and rxrpc_process_connection frames
- Unexpected reboots or hangs on hosts exposing rxrpc services (commonly AFS file servers and clients)
- Inbound rxrpc traffic from untrusted sources targeting UDP port 7000 or other configured rxrpc endpoints
Detection Strategies
- Monitor dmesg and /var/log/kern.log for BUG: entries originating in the rxrpc or skbuff subsystems
- Compare running kernel versions against the fixed commits listed in the kernel.org stable advisories
- Inspect network telemetry for malformed rxrpc RESPONSE packets directed at AFS or kafs endpoints
- Correlate kernel crash dumps captured by kdump with the documented rxgk_verify_response call chain
Monitoring Recommendations
- Aggregate kernel crash telemetry from production Linux fleets into a centralized logging platform
- Alert on repeated worker thread crashes tied to rxrpc_process_connection after exposure to external networks
- Track patch deployment status for the kernel commits referenced in the vendor advisories across all hosts running affected versions
How to Mitigate CVE-2026-31635
Immediate Actions Required
- Apply the upstream kernel patches referenced in the kernel.org stable tree as soon as distribution updates are available
- Inventory hosts running Linux kernel 6.16 or 7.0-rc builds and prioritize those exposing rxrpc services
- Restrict inbound rxrpc traffic to trusted networks using host firewalls or network ACLs until patches are deployed
- Disable the rxrpc and kafs kernel modules on systems that do not require AFS connectivity
Patch Information
The fix corrects the inverted length comparison in rxgk_verify_response() so that authenticator lengths exceeding the remaining packet payload are rejected before reaching rxgk_decrypt_skb(). Authoritative commits are available at the Kernel Git Commit Update, Kernel Git Commit Fix, and Kernel Git Commit Improvement. Apply the corresponding distribution kernel updates once published.
Workarounds
- Block UDP port 7000 and any custom rxrpc ports at perimeter and host firewalls for systems that do not require external AFS access
- Unload the rxrpc module with modprobe -r rxrpc and add it to a modprobe blacklist where AFS is not in use
- Limit rxgk-authenticated connectivity to trusted management networks via segmentation until the patched kernel is in production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
