CVE-2026-31643 Overview
CVE-2026-31643 is a memory leak vulnerability in the Linux kernel's rxrpc subsystem. The flaw resides in the rxrpc_preparse_xdr_yfs_rxgk() function, which handles parsing of YFS rxgk keys. Memory allocated to token->rxgk can leak through several error paths after allocation, because the cleanup path at the reject_token: label does not free it. Repeated triggering of these error paths can exhaust kernel memory and cause a denial-of-service condition. The vulnerability is classified under [CWE-401] (Missing Release of Memory after Effective Lifetime) and affects Linux kernel version 6.16 along with several 7.0 release candidates.
Critical Impact
Local users can trigger repeated kernel memory leaks through crafted rxrpc key operations, leading to resource exhaustion and high-impact availability loss.
Affected Products
- Linux kernel 6.16
- Linux kernel 7.0-rc1 through 7.0-rc7
- Systems using the rxrpc networking subsystem with YFS rxgk key support
Discovery Timeline
- 2026-04-24 - CVE-2026-31643 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-31643
Vulnerability Analysis
The defect exists in the Linux kernel's RxRPC (Rx Remote Procedure Call) implementation, specifically in code that parses YFS rxgk-format authentication tokens. The function rxrpc_preparse_xdr_yfs_rxgk() allocates memory and attaches it to the token->rxgk structure during key material parsing. When parsing subsequently fails and execution branches to the reject_token: error label, the allocated token->rxgk memory is not released. Each failed parse leaks kernel heap memory.
This is a local availability issue. An attacker requires the ability to invoke the affected key parsing path, which is reachable from userspace through standard kernel keyring interfaces. Sustained exploitation can exhaust kernel memory and degrade or crash the host.
Root Cause
The root cause is incomplete cleanup logic in an error-handling path. The function allocates the rxgk substructure early in parsing but the reject_token: cleanup block only frees the outer token, omitting the embedded rxgk allocation. This is a classic [CWE-401] memory leak pattern where the allocation lifetime is not correctly tied to all exit paths.
Attack Vector
An authenticated local user can submit malformed YFS rxgk key payloads through the kernel keyring interface, driving rxrpc_preparse_xdr_yfs_rxgk() repeatedly down its rejection path. Each rejected token leaks kernel memory. No memory disclosure or code execution is possible — only availability is affected. The fix, applied across commits 01f51318, b555912b, and d5f76f81, frees the rxgk allocation in the reject_token: case.
No public proof-of-concept or active exploitation has been reported. See the upstream Kernel Git Commit Update for the authoritative patch.
Detection Methods for CVE-2026-31643
Indicators of Compromise
- Gradual, unexplained increase in kernel slab allocations attributable to the rxrpc subsystem
- Repeated add_key or keyctl syscalls referencing the rxrpc key type from non-administrative users
- dmesg warnings about low memory or OOM-killer activity on hosts running AFS/YFS workloads
Detection Strategies
- Audit /proc/slabinfo and /proc/meminfo over time for steady growth without corresponding workload increase
- Enable kernel memory leak detection (kmemleak) on test systems to confirm whether token->rxgk allocations are unreleased
- Correlate keyring syscall telemetry with kernel memory pressure events to identify abusive callers
Monitoring Recommendations
- Track running Linux kernel versions across the fleet and flag any host on 6.16 or 7.0-rc builds
- Alert on processes invoking the rxrpc key type that do not belong to known AFS/YFS service accounts
- Baseline kernel heap usage on AFS/YFS clients and trigger alerts on sustained upward drift
How to Mitigate CVE-2026-31643
Immediate Actions Required
- Apply the upstream stable kernel updates containing commits 01f51318, b555912b, and d5f76f81 as soon as distribution packages are available
- Inventory all Linux hosts running kernel 6.16 or any 7.0 release candidate and prioritize them for patching
- Restrict local shell access on multi-tenant systems until patches are deployed
Patch Information
The fix releases the token->rxgk allocation inside the reject_token: error path of rxrpc_preparse_xdr_yfs_rxgk(). Patches are available from the stable kernel tree: Kernel Git Commit 01f51318, Kernel Git Commit b555912b, and Kernel Git Commit d5f76f81. Rebuild and reboot affected systems after applying.
Workarounds
- Disable the rxrpc kernel module on systems that do not require AFS or YFS connectivity
- Apply SELinux or AppArmor policies that restrict use of the add_key and keyctl syscalls for the rxrpc key type to trusted service accounts
- Place memory cgroup limits on untrusted user sessions to contain the impact of any leak
# Configuration example: blacklist rxrpc on hosts that do not need AFS/YFS
echo "blacklist rxrpc" | sudo tee /etc/modprobe.d/blacklist-rxrpc.conf
sudo rmmod rxrpc 2>/dev/null || true
# Verify the running kernel version against affected releases
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
