CVE-2026-46039: Linux Kernel Integer Overflow Vulnerability

CVE-2026-46039 Overview

CVE-2026-46039 is an integer overflow vulnerability in the Linux kernel's rxgk subsystem, which implements the RxGK security class used by AFS (Andrew File System) over RxRPC. The flaw resides in the rxgk_extract_token() function during a length check on incoming ticket data. The original code rounded up the value under test before comparison, which could itself overflow and bypass the bounds check. The upstream fix inverts the logic by rounding down the size of the available data, removing the overflow path entirely.

Critical Impact

A specially crafted ticket length could bypass validation in rxgk_extract_token(), potentially leading to out-of-bounds memory access during RxGK token processing in the kernel.

Affected Products

• Linux kernel (upstream rxgk / RxRPC subsystem)
• Linux kernel stable branches receiving commits 183d37f, 43222ac, and 6929350
• Distributions shipping kernels with RxGK support enabled

Discovery Timeline

• 2026-05-27 - CVE-2026-46039 published to NVD
• 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-46039

Vulnerability Analysis

The vulnerability is an integer overflow [CWE-190] in the length validation logic of rxgk_extract_token(). RxGK is the GSSAPI-based security class for the Rx RPC protocol used by AFS. During token extraction, the kernel parses an attacker-influenced ticket field and validates its declared length against the buffer's available data. The original implementation rounded the declared length up to an alignment boundary before comparison. When the declared length sat near SIZE_MAX, that round-up operation wrapped to a small value, allowing oversized tickets to pass the check and be processed as if they fit in the buffer.

Root Cause

The root cause is unsafe arithmetic on attacker-controlled input prior to a bounds comparison. The function computed round_up(ticket_len, alignment) and compared the result against the available data size. Because ticket_len is derived from untrusted network input, an attacker could choose a value such that the rounded result overflowed past zero. The patched code instead applies round_down() to the trusted available-data size and compares the untouched ticket_len against it, eliminating the overflow primitive.

Attack Vector

Exploitation requires the ability to deliver a crafted RxGK token to a vulnerable kernel, which generally means reaching an AFS or RxRPC endpoint that negotiates the RxGK security class. The malicious token carries a length field engineered to trigger the overflow during validation. The immediate consequence is the kernel proceeding with token processing using an attacker-supplied length that exceeds the underlying buffer. Specific exploitability depends on downstream consumers of the validated length, but the class of bug typically enables out-of-bounds reads or related memory-safety violations in kernel context.

No public proof-of-concept code is listed in the advisory data. The technical fix can be reviewed in the upstream commits: Kernel Git Commit 183d37f, Kernel Git Commit 43222ac, and Kernel Git Commit 6929350.

Detection Methods for CVE-2026-46039

Indicators of Compromise

• Unexpected RxRPC or AFS protocol errors in dmesg or kernel logs referencing rxgk_extract_token or token parsing failures.
• Kernel oops, KASAN reports, or slab-out-of-bounds traces tied to the rxgk code path.
• Anomalous inbound traffic to UDP port 7001 (afs3-callback) or other AFS service ports from untrusted networks.

Detection Strategies

• Inventory running kernel versions against the patched commits (183d37f, 43222ac, 6929350) to identify unpatched hosts.
• Monitor for AFS/RxRPC traffic on systems that should not be running AFS clients or servers, which can indicate reconnaissance or exploitation attempts.
• Correlate kernel crash telemetry with network sessions targeting RxGK-enabled endpoints.

Monitoring Recommendations

• Ingest kernel logs and crash dumps centrally and alert on faults originating in net/rxrpc/ or rxgk symbols.
• Track per-host RxRPC error counters exposed via /proc/net/rxrpc for sudden increases.
• Apply network segmentation monitoring to detect unexpected exposure of AFS services beyond trusted subnets.

How to Mitigate CVE-2026-46039

Immediate Actions Required

• Update to a Linux kernel build that includes commits 183d37f12d1c, 43222ac484f9, and 6929350080f4.
• On systems that do not require AFS or RxRPC, unload or blacklist the rxrpc and kafs kernel modules.
• Restrict inbound network access to AFS/RxRPC ports to known clients and servers only.

Patch Information

The issue is resolved upstream by replacing the round-up-then-compare pattern with a round-down of the available data size in rxgk_extract_token(). The fix is published in the following stable kernel commits: Kernel Git Commit 183d37f, Kernel Git Commit 43222ac, and Kernel Git Commit 6929350. Apply the distribution-provided kernel update that incorporates these commits and reboot to activate the patched kernel.

Workarounds

• Disable AFS/RxRPC functionality on hosts that do not require it by preventing the rxrpc and kafs modules from loading.
• Use host-based or network firewalls to drop RxRPC traffic from untrusted sources until the kernel can be patched.
• Limit kernel module loading with modules_disabled or signed-module enforcement to reduce attack surface on production hosts.

# Prevent rxrpc/kafs from loading until a patched kernel is deployed
echo 'install rxrpc /bin/true' | sudo tee /etc/modprobe.d/disable-rxrpc.conf
echo 'install kafs  /bin/true' | sudo tee -a /etc/modprobe.d/disable-rxrpc.conf
sudo rmmod kafs 2>/dev/null
sudo rmmod rxrpc 2>/dev/null

# Verify running kernel version after patching
uname -r