CVE-2026-31641
rxrpc: Fix RxGK token loading to check bounds
Vexday Risk Score
21Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 7.8EPSS 0.1%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Ciclo de vida
24 abr 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix RxGK token loading to check bounds
rxrpc_preparse_xdr_yfs_rxgk() reads the raw key length and ticket length
from the XDR token as u32 values and passes each through round_up(x, 4)
before using the rounded value for validation and allocation. When the raw
length is >= 0xfffffffd, round_up() wraps to 0, so the bounds check and
kzalloc both use 0 while the subsequent memcpy still copies the original
~4 GiB value, producing a heap buffer overflow reachable from an
unprivileged add_key() call.
Fix this by:
(1) Rejecting raw key lengths above AFSTOKEN_GK_KEY_MAX and raw ticket
lengths above AFSTOKEN_GK_TOKEN_MAX before rounding, consistent with
the caps that the RxKAD path already enforces via AFSTOKEN_RK_TIX_MAX.
(2) Sizing the flexible-array allocation from the validated raw key
length via struct_size_t() instead of the rounded value.
(3) Caching the raw lengths so that the later field assignments and
memcpy calls do not re-read from the token, eliminating a class of
TOCTOU re-parse.
The control path (valid token with lengths within bounds) is unaffected.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Productos afectados
Linux · LinuxReferencias
https://access.redhat.com/errata/RHSA-2026:27288https://access.redhat.com/security/cve/CVE-2026-31641https://bugzilla.redhat.com/show_bug.cgi?id=2461548https://git.kernel.org/stable/c/3e04596cba8a86cbff9c3f4bf0a524a3a488773chttps://git.kernel.org/stable/c/49875b360c2b83a3c226e189c502e501d83e6445https://git.kernel.org/stable/c/d179a868dd755b0cfcf7582e00943d702b9943b8https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31641.json