CVE-2026-31636 Overview
CVE-2026-31636 is a critical out-of-bounds read vulnerability in the Linux kernel's rxrpc subsystem, specifically within the RESPONSE authenticator parser. The vulnerability exists in the rxgk_verify_authenticator() function, which incorrectly calculates the parser boundary when processing authentication data, allowing attackers to read past the allocated buffer.
The flaw occurs because rxgk_verify_authenticator() copies auth_len bytes into a temporary buffer and passes p + auth_len as the parser limit to rxgk_do_verify_authenticator(). Since p is a __be32 * pointer type, this calculation inflates the parser end pointer by a factor of four, enabling malformed RESPONSE authenticators to trigger reads beyond the kmalloc() buffer boundary.
Critical Impact
This network-exploitable vulnerability allows remote attackers to trigger out-of-bounds memory reads in kernel space, potentially leaking sensitive information or causing system instability without requiring authentication.
Affected Products
- Linux Kernel versions prior to patched releases
- Linux Kernel 6.16
- Linux Kernel 7.0 (rc1 through rc7)
Discovery Timeline
- April 24, 2026 - CVE-2026-31636 published to NVD
- April 27, 2026 - Last updated in NVD database
Technical Details for CVE-2026-31636
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-bounds Read), a memory corruption issue affecting the rxrpc networking subsystem in the Linux kernel. The rxrpc protocol implements the RxRPC remote procedure call protocol, commonly used by AFS (Andrew File System) clients and servers.
The vulnerability allows remote attackers to trigger kernel memory disclosure by sending specially crafted RESPONSE packets to systems with rxrpc enabled. Because the attack vector is network-based and requires no privileges or user interaction, it presents a significant risk to exposed systems. Successful exploitation could leak sensitive kernel memory contents or cause denial of service through kernel crashes.
Root Cause
The root cause is a pointer arithmetic error in rxgk_verify_authenticator(). When constructing the parser limit, the code passes p + auth_len where p is declared as __be32 *. In C, pointer arithmetic automatically scales the offset by the size of the pointed-to type (4 bytes for __be32), so adding auth_len actually advances the pointer by auth_len * 4 bytes instead of the intended auth_len bytes.
This miscalculation means the parser limit extends four times further into memory than the actual buffer allocation, allowing rxgk_do_verify_authenticator() to read up to three times beyond the legitimate buffer boundary when parsing malformed RESPONSE authenticators.
Attack Vector
The vulnerability is exploitable over the network without authentication. An attacker can send malformed RxRPC RESPONSE packets containing specially crafted authenticator data to a vulnerable system. When the kernel processes these packets through rxgk_verify_response() during connection handling, the faulty pointer arithmetic allows reads beyond the allocated slab memory.
The KASAN (Kernel Address Sanitizer) stack trace from reproduction testing shows the vulnerability manifesting in the following call chain:
- rxrpc_process_connection() handles incoming connection events
- rxgk_verify_response() processes RESPONSE packets
- The slab-out-of-bounds read occurs during authenticator parsing
The fix converts the byte count to __be32 units (dividing by 4) before constructing the parser limit, ensuring the boundary calculation correctly reflects the actual buffer size.
Detection Methods for CVE-2026-31636
Indicators of Compromise
- KASAN reports showing slab-out-of-bounds errors in rxgk_verify_response() function
- Kernel crash dumps or oops messages referencing net/rxrpc/rxgk.c in the call trace
- Unusual rxrpc connection processing errors in kernel logs
- Memory corruption indicators near rxrpc-related slab allocations
Detection Strategies
- Enable KASAN in kernel builds to detect out-of-bounds memory access attempts
- Monitor for kernel oops or panic events with call traces containing rxgk_verify_authenticator or rxrpc_process_connection
- Implement network monitoring for anomalous RxRPC traffic patterns, particularly malformed RESPONSE packets
- Deploy endpoint detection solutions capable of identifying kernel memory corruption attempts
Monitoring Recommendations
- Configure kernel logging to capture detailed rxrpc subsystem messages
- Set up alerts for unexpected kernel crashes on systems running AFS or other rxrpc-dependent services
- Monitor network traffic on UDP port 7000-7009 (common AFS/rxrpc ports) for suspicious activity
- Review system stability metrics for unexplained kernel instability on exposed servers
How to Mitigate CVE-2026-31636
Immediate Actions Required
- Apply the kernel patches from the official Git repositories immediately
- Restrict network access to rxrpc services where possible using firewall rules
- Consider disabling rxrpc kernel module on systems that don't require AFS functionality
- Monitor affected systems for signs of exploitation until patching is complete
Patch Information
The Linux kernel maintainers have released patches that correct the pointer arithmetic issue by converting the byte count to __be32 units before constructing the parser limit. The following commits contain the fix:
System administrators should update to kernel versions containing these patches or apply the relevant backported fixes for their distribution.
Workarounds
- Disable the rxrpc kernel module if AFS functionality is not required: modprobe -r rxrpc
- Block inbound UDP traffic on rxrpc ports (typically 7000-7009) at the network perimeter
- Use network segmentation to isolate systems running rxrpc services from untrusted networks
- Enable KASAN in development/testing environments to detect exploitation attempts
# Configuration example
# Disable rxrpc module loading
echo "blacklist rxrpc" >> /etc/modprobe.d/blacklist-rxrpc.conf
echo "blacklist af_rxrpc" >> /etc/modprobe.d/blacklist-rxrpc.conf
# Block rxrpc traffic with iptables (if module cannot be disabled)
iptables -A INPUT -p udp --dport 7000:7009 -j DROP
# Verify rxrpc module is not loaded
lsmod | grep rxrpc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
