PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31635 Linux CVE debrief

CVE-2026-31635 is a Linux kernel rxrpc issue in which RESPONSE authenticator length validation is inverted. According to the supplied CVE text, oversized authenticators can be accepted by rxgk_verify_response(), passed into rxgk_decrypt_skb(), and eventually reach skb_to_sgvec() with an impossible length, triggering BUG_ON(len) and a kernel crash. NVD records the issue as HIGH severity (CVSS 7.5) with network attack vector and no privileges or user interaction required. The CVE was published on 2026-04-24 and modified on 2026-05-18.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-24
Original CVE updated
2026-05-18
Advisory published
2026-04-24
Advisory updated
2026-05-18

Who should care

Linux kernel maintainers, distribution security teams, embedded/device vendors, and operators running affected kernel builds that use rxrpc/RXGK-related networking paths.

Technical summary

The flaw is a bounds-check inversion in rxgk_verify_response(): auth_len is decoded from the packet, but the remaining-bytes check is applied incorrectly, so oversized RESPONSE authenticators are not rejected. The supplied description says this malformed length can propagate into rxgk_decrypt_skb() and then skb_to_sgvec(), where an impossible length can hit BUG_ON(len) in __skb_to_sgvec(). NVD lists affected Linux kernel ranges including 6.16.1 through before 6.18.23, 6.19 through before 6.19.13, and explicit vulnerable entries for 6.16 and 7.0-rc1 through 7.0-rc7.

Defensive priority

High. The published CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates a remotely reachable availability impact with no authentication or user action required, so affected systems should be patched promptly.

Recommended defensive actions

  • Apply a Linux kernel update that includes the referenced stable fixes listed by NVD.
  • Inventory whether any deployed systems match the affected kernel ranges in the NVD CPE data, especially hosts using rxrpc/RXGK functionality.
  • Treat unexpected kernel panics involving __skb_to_sgvec(), skb_to_sgvec(), or rxgk_* call paths as high-priority signals for this issue.
  • If immediate patching is not possible, reduce exposure of systems that can receive the relevant network traffic and monitor for crash loops or repeated worker-thread panics.

Evidence notes

All technical claims here are taken from the supplied CVE description and NVD reference data. The crash path and the intended fix are described in the CVE text itself. NVD also lists three kernel stable patch references corresponding to the fix, and a separate GitHub source reference is present in the record; this debrief does not rely on any unverified exploit details from that source.

Official resources

Publicly disclosed in the CVE record on 2026-04-24T15:16:42.820Z and last modified in NVD on 2026-05-18T15:16:25.370Z. No KEV entry is listed in the supplied timeline.