Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-31635

CVE-2026-31635: Linux Kernel Privilege Escalation Flaw

CVE-2026-31635 is a privilege escalation vulnerability in the Linux kernel affecting rxrpc authentication. An inverted length check allows oversized authenticators to trigger system crashes. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2026-31635 Overview

CVE-2026-31635 is a Linux kernel vulnerability in the rxrpc subsystem affecting the rxgk (RxRPC GSSAPI Kerberos) authentication path. The function rxgk_verify_response() contains an inverted length check that fails to reject oversized RESPONSE authenticators. Crafted packets propagate through rxgk_decrypt_skb() to skb_to_sgvec(), where an impossible length triggers a BUG_ON(len) kernel assertion. The flaw enables a remote, unauthenticated attacker to crash affected systems over the network.

Critical Impact

Remote, unauthenticated attackers can trigger a kernel BUG_ON via crafted rxrpc RESPONSE packets, causing denial of service on Linux hosts running affected kernel builds.

Affected Products

  • Linux kernel 6.16 (release)
  • Linux kernel 7.0 release candidates rc1 through rc7
  • Linux kernel builds incorporating the rxrpc rxgk authentication path prior to the upstream fix

Discovery Timeline

  • 2026-04-24 - CVE-2026-31635 published to NVD
  • 2026-04-27 - Last updated in NVD database

Technical Details for CVE-2026-31635

Vulnerability Analysis

The vulnerability resides in rxgk_verify_response() within net/rxrpc/rxgk.c. The function decodes auth_len from an incoming RESPONSE packet and is expected to confirm the declared length fits within the remaining packet payload. The comparison operator is inverted, so values exceeding the available bytes pass validation instead of being rejected.

Once accepted, the oversized authenticator reaches rxgk_decrypt_skb() in net/rxrpc/rxgk_common.h. That path invokes skb_to_sgvec() in net/core/skbuff.c, which walks the socket buffer to build a scatter-gather vector. When the requested length exceeds the actual buffer, __skb_to_sgvec() hits BUG_ON(len) at line 5285 and panics the kernel.

The call chain documented in the upstream commit traces from ret_from_fork() through kthread(), worker_thread(), process_one_work(), rxrpc_process_connection(), and into the rxgk handlers. Processing occurs in a workqueue context, so the crash takes down kernel worker threads handling rxrpc connection events.

Root Cause

The root cause is an inverted bounds check on auth_len during RESPONSE packet decoding. The condition that should reject lengths greater than the remaining payload instead accepts them. This is an input validation failure [NVD-CWE-noinfo] that violates the invariant required by downstream skb_to_sgvec() consumers.

Attack Vector

An unauthenticated remote attacker sends a crafted rxrpc RESPONSE packet to a target listening on the rxrpc protocol with rxgk security enabled. The packet declares an authenticator length larger than the remaining payload. Kernel processing in rxrpc_process_connection() reaches the faulty check, accepts the oversized value, and the subsequent decrypt path triggers the BUG_ON. Network-reachable services that use AFS or other rxrpc-based protocols with rxgk are exposed.

No public proof-of-concept exploit code is currently available for this issue. Refer to the upstream kernel fix commit for the corrected boundary check.

Detection Methods for CVE-2026-31635

Indicators of Compromise

  • Kernel panic logs referencing BUG_ON at __skb_to_sgvec() in net/core/skbuff.c:5285
  • Stack traces containing rxgk_verify_response, rxgk_decrypt_skb, and rxrpc_process_connection frames
  • Unexpected reboots or hangs on hosts exposing rxrpc services (commonly AFS file servers and clients)
  • Inbound rxrpc traffic from untrusted sources targeting UDP port 7000 or other configured rxrpc endpoints

Detection Strategies

  • Monitor dmesg and /var/log/kern.log for BUG: entries originating in the rxrpc or skbuff subsystems
  • Compare running kernel versions against the fixed commits listed in the kernel.org stable advisories
  • Inspect network telemetry for malformed rxrpc RESPONSE packets directed at AFS or kafs endpoints
  • Correlate kernel crash dumps captured by kdump with the documented rxgk_verify_response call chain

Monitoring Recommendations

  • Aggregate kernel crash telemetry from production Linux fleets into a centralized logging platform
  • Alert on repeated worker thread crashes tied to rxrpc_process_connection after exposure to external networks
  • Track patch deployment status for the kernel commits referenced in the vendor advisories across all hosts running affected versions

How to Mitigate CVE-2026-31635

Immediate Actions Required

  • Apply the upstream kernel patches referenced in the kernel.org stable tree as soon as distribution updates are available
  • Inventory hosts running Linux kernel 6.16 or 7.0-rc builds and prioritize those exposing rxrpc services
  • Restrict inbound rxrpc traffic to trusted networks using host firewalls or network ACLs until patches are deployed
  • Disable the rxrpc and kafs kernel modules on systems that do not require AFS connectivity

Patch Information

The fix corrects the inverted length comparison in rxgk_verify_response() so that authenticator lengths exceeding the remaining packet payload are rejected before reaching rxgk_decrypt_skb(). Authoritative commits are available at the Kernel Git Commit Update, Kernel Git Commit Fix, and Kernel Git Commit Improvement. Apply the corresponding distribution kernel updates once published.

Workarounds

  • Block UDP port 7000 and any custom rxrpc ports at perimeter and host firewalls for systems that do not require external AFS access
  • Unload the rxrpc module with modprobe -r rxrpc and add it to a modprobe blacklist where AFS is not in use
  • Limit rxgk-authenticated connectivity to trusted management networks via segmentation until the patched kernel is in production

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.