{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: rxrpc: fix oversized RESPONSE authenticator length check",
    "id" : "2461567",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461567"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-130",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nrxrpc: fix oversized RESPONSE authenticator length check\nrxgk_verify_response() decodes auth_len from the packet and is supposed\nto verify that it fits in the remaining bytes. The existing check is\ninverted, so oversized RESPONSE authenticators are accepted and passed\nto rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an\nimpossible length and hit BUG_ON(len).\nDecoded from the original latest-net reproduction logs with\nscripts/decode_stacktrace.sh:\nRIP: __skb_to_sgvec()\n[net/core/skbuff.c:5285 (discriminator 1)]\nCall Trace:\nskb_to_sgvec() [net/core/skbuff.c:5305]\nrxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81]\nrxgk_verify_response() [net/rxrpc/rxgk.c:1268]\nrxrpc_process_connection()\n[net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364\nnet/rxrpc/conn_event.c:386]\nprocess_one_work() [kernel/workqueue.c:3281]\nworker_thread()\n[kernel/workqueue.c:3353 kernel/workqueue.c:3440]\nkthread() [kernel/kthread.c:436]\nret_from_fork() [arch/x86/kernel/process.c:164]\nReject authenticator lengths that exceed the remaining packet payload.", "A flaw was found in the Linux kernel's rxrpc component. An inverted length check in the `rxgk_verify_response()` function allows oversized RESPONSE authenticators to be accepted. This can lead to an impossible length being passed to `skb_to_sgvec()`, triggering a `BUG_ON` condition and resulting in a system crash, effectively causing a Denial of Service (DoS)." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31635\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31635\nhttps://lore.kernel.org/linux-cve-announce/2026042455-CVE-2026-31635-73bd@gregkh/T" ],
  "name" : "CVE-2026-31635",
  "csaw" : false
}